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Primary goat : CVSS Source & Patch 
Vendor -- Product Desenplon Published Score Info 
The request_list_request AJAX call of the Car Seller - Auto 
cars-seller-auto-classifieds- Classifieds Script WordPress plugin through 2.1.0, available to CVE-2021-24285 
script_project -- cars-seller-auto- both authenticated and unauthenticated users, does not sanitise, 2021-05-14 18 MISC 
classifieds-script validate or escape the order_id POST parameter before using it in CONFIRM 
a SQL statement, leading to a SQL Injection issue. 
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 
allows unauthenticated arbitrary file upload via the CVE-2021-24284 
kaswara_project -- kaswara ‘uploadFontlcon' AJAX action. The supplied zipfile being unzipped || 2021-05-14 is MISC 
in the wp-content/uploads/kaswara/fonts_icon directory with no CONFIRM 
checks for malicious files such as PHP. 
Unrestricted File Upload in LAOBANCMS v2.0 allows remote 
7 attackers to upload arbitrary files by attaching a file with a On. CVE-2020-18166 
obaneme: = laebaliems "jpg.php" extension to the component "admin/wenjian.php? eles Ls MISC 
wj=../templets/pc". 
The block subsystem in the Linux kernel before 5.2 has a use- a 
; : after-free that can lead to arbitrary code execution in the kernel aiers 
Patients ene context and privilege escalation, aka CID-c3e2219216c9. This is eal ae ceialad La ee 
related to blk_mq_free_rqs and blk_cleanup_queue. MISC 
'YYFCMF v2.3.1 has a Remote Command Execution (RCE) CVE-2020-23691 
vient == ice vulnerability in the index.php. 2021-05-14 | 25 ivisc 
Back to top 
Medium Vulnerabilities 
Primary ae F CVSS Source & Patch 
Vendor -- Product Desenpelon Published Score Info 
‘The Photo Gallery by 10Web a€“ Mobile-Friendly Image Gallery 
WordPress plugin before 1.5.69 was vulnerable to Reflected CVE-2021-24291 
10web -- photo_gallery Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id |} 2021-05-14 4.3 MISC 
and _id GET parameters passed to the bwg_frontend_data AJAX CONFIRM 
action (available to both unauthenticated and authenticated users) 
CVE-2021-27737 
: , MISC 
: Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack aan es 
apache -- traffic_server on the experimental Slicer plugin. 2021-05-14 5 MLIST 
MLIST 
MLIST 
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Primary ae : Cvss Source & Patch 
Vendor -- Product Beecmpren Published | Score Info 
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a CVE-2021-32073 
dedecms -- dedecms remote attacker to send a malicious request to to the web 2021-05-15 6.8 MISC... 
manager allowing remote code execution. rere 
Express-handlebars is a Handlebars view engine for Express. 
Express-handlebars mixes pure template data with engine 
configuration options through the Express render API. More CVE-2021-32820 
specifically, the layout parameter may trigger file disclosure CONFIRM 
axprase: handlebars: prolact<< vulnerabilities in downstream applications. This potential MISC. 
Cee eenaiceae” d vulnerability is somewhat restricted in that only files with existing 2021-05-14 5 MISC 
P = extentions (i.e. file.extension) can be included, files that lack an MISC 
extension will have .handlebars appended to them. For complete MISC 
details refer to the referenced GHSL-2021-018 report. Notes in exes 
documentation have been added to help users avoid this potential 
information exposure vulnerability. 
express-hbs is an Express handlebars template engine. express- 
hbs mixes pure template data with engine configuration options 
through the Express render API. More specifically, the layout 
parameter may trigger file disclosure vulnerabilities in downstream CVE-2021-32817 
Axpress dnandlebars proiects: applications. This potential vulnerability is somewhat restricted in MISC 
i d that only files with existing extentions (i.e. file.extension) can be 2021-05-14 4.3 CONFIRM 
P = included, files that lack an extension will have .hbs appended to MISC 
them. For complete details refer to the referenced GHSL-2021- MISC 
019 report. Notes in documentation have been added to help 
users of express-hbs avoid this potential information exposure 
vulnerability. 
CVE-2020-21841 
; [A heap based buffer overflow vulnerability exits in GNU LibreDWG MISC 
Gnu --fibredng 0.10 via bit_read_B ../../src/bits.c:135. eel eet 68 misc 
MISC 
nue libredwi A heap based buffer overflow vulnerability exists in GNU 2021-05-17 6.8 eee 
9 9 LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:48. 3 MISC 
A heap based buffer overflow vulnerability exists in GNU CVE-2020-21842 
gnu -- libredwg LibreDWG 0.10 via read_2004_section_revhistory 2021-05-17 6.8 MISC 
../../src/decode.c:3051. MISC 
nu — libredw A heap based buffer overflow vulneraibility exists in GNU 2021-05-17 6.8 eee 
9 9 LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213. me aes 
A heap based buffer overflow vulnerability exists in GNU CVE-2020-21832 
gnu -- libredwg LibreDWG 0.10 via read_2004_compressed_section 2021-05-17 6.8 MISC 
../../src/decode.c:2417. MISC 
CVE-2020-21833 
‘ A heap based buffer overflow vulnerability exits in GNU LibreDWG MISC 
Ghul tibredwg 0.10 via: read_2004_section_ classes ../../src/decode.c:2440. 2021-05-17 | 88 iwise 
MISC 
A heap based buffer overflow vulnerability exists in GNU CVE-2020-21836 
gnu -- libredwg LibreDWG 0.10 via read_2004_section_preview 2021-05-17 6.8 MISC 
../../src/decode.c:3175. MISC 
CVE-2020-21840 
F A heap based buffer overflow vulnerability exits in GNU LibreDWG MISC 
gnu — libredwg 0.10 via bit_search_sentinel ../../src/bits.c:1985. a 68 misc 
MISC 
CVE-2020-21838 
d A heap based buffer overflow vulnerability exits in GNU LibreDWG MISC 
Ghul tibreyg 0.10 via: read_2004_section_appinfo ../../src/decode.c:2842. 2021-05-17 | &8 isc 
MISC 
nu=-libredwi A heap based buffer overflow vulnerability exists in GNU 2021-05-17 68 ae 
9 9 LibreDWG 0.10.2641via htmlescape ../../programs/escape.c:51. — MISC 
nineteen A heab based buffer overflow issue exists in GNU LibreDWG areca || «2 laa 
9 9 0.10.2641 via htmlescape ../../programs/escape.c:46. = MISC 
An issue was discovered in GNU LibreDWG 0.10. Crafted input CVE-2020-21839 
gnu -- libredwg will lead to an memory leak in dwg_decode_eed 2021-05-17 4.3 MISC 
../../src/decode.c:3638. MISC 
AUe=libragui A null pointer deference issue exists in GNU LibreDWG 0.10 via 2024-05-17 43 1 en 
9 9 read_2004_compressed_section ../../src/decode.c:2337. Ss MISC 
: A null pointer deference issue exists in GNU LibreDWG 0.10 via CVE-2020-21834 
gnu -- libredwg : 2021-05-17 4.3 MISC 
get_bmp ../../programs/dwgbmp.c:164. MISC 
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Primary ae P Cvss Source & Patch 
Vendor -- Product Descnpron Published Score Info 

A null pointer dereference issue exists in GNU LibreDWG CVE-2020-21817 
gnu -- libredwg 0.10.2641 via htmlescape ../../programs/escape.c:29. which 2021-05-17 4.3 MISC 
causes a denial of service (application crash). MISC 

A null pointer deference issue exists in GNU LibreDWG 0.10.2641 CVE-2020-21815 
gnu -- libredwg via output_TEXT ../../programs/dwg2SVG.c:114, which causes a 2021-05-17 4.3 MISC 
denial of service (application crash). MISC 

sieeteh A heap based buffer overfiow vulnerability exits in GNU LibreDWG| 5554.95.17 | 68 IMG 
9 9 0.10 via bit_read_RC ../../src/bits.c:318. ee lees 

Ati alibredw A heap based buffer overflow issue exists in GNU LibreDWG 2021-05-17 68 ri anneal 
9 9 0.10.2641 via htmlwescape ../../programs/escape.c:97. — MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *MatrixDiag** 
operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e6 
L197) does not validate that the tensor arguments are non-empty. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


Bf cfaf8f4b6e8 
2021-05-14 


Seb857e9e4 coi 3(snsoutlaw/core 


MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
*tf.raw_ops.Conv2DBackpropInput’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/b400@0c9f697b044e 


L655) does a division by a quantity that is controlled by the caller. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


4.6 


107917c79({6atS2BHDEGS52En sof 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Missing validation between arguments to 
‘tf.raw_ops.Conv3DBackprop* operations can result in heap 
buffer overflows. This is because the 


implementation (https://github.com/tensorflow/tensorflow/blob/481 4fafbOca6b5ab58a094 11 523bRNBte623feG5e2\0sorflo 


L153) assumes that the ‘input’, ‘filter_sizes’ and ‘out_backprop” 
tensors have the same shape, as they are accessed in parallel. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


4.6 


MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. In eager mode (default in TF 2.0 and later), session 
operations are invalid. However, users could still call the raw ops 
associated with them and trigger a null pointer dereference. The 


dereferences the session state pointer without checking if it is 
valid. Thus, in eager mode, ‘ctx->session_state()° is nullptr and 
the call of the member function is undefined behavior. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


|" 


4.6 


eApebaeePsesyernsp" 


MISC 
CONFIRM 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of ‘tf.raw_ops.MaxPoolGrad’ is 
vulnerable to a heap buffer overflow. The 


implementation(https://github.com/tensorflow/tensorflow/blob/ab1e$44b48c82cb71 


L203) fails to validate that indices used to access elements of 
input/output arrays are valid. Whereas accesses to 
*input_backprop_flat’ are guarded by “FastBoundsCheck’, the 
indexing in ‘out_backprop_ flat’ can result in OOB access. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 








supported range. 


2021-05-14 





4.6 








93f4362b4dd38f457 7a 1 cf/tensorilc 


CVE-2021-29579 
CONFIRM 
MISC 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. If the ‘splits’ argument of ~RaggedBincount’ does not 
specify a valid 


*SparseTensor (https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTens 


then an attacker can trigger a heap buffer overflow. This will cause 
a read from outside the bounds of the ‘splits’ tensor buffer in the 
implementation of the ‘RaggedBincount™ 


op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f/ 1242 1idGf&044 


L446). Before the ‘for loop, ‘batch_idx’ is set to 0. The attacker 
sets ‘splits(0) to be 7, hence the ‘while’ loop does not execute 
and “batch_idx’ remains 0. This then results in writing to ‘out(-1, 
bin)’, which is before the heap allocated buffer for the output 
tensor. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, 
as these are also affected. 


YY 


CVE-2021-29514 


76e@26541 SatS@sorflow/core/kerh 


CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
*QuantizedMul by passing in invalid thresholds for the 
quantization. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/87cf4 
L290) assumes that the 4 arguments are always valid scalars and 
tries to access the numeric value directly. However, if any of these 
tensors is empty, then *.flat<T>() is an empty buffer and 
accessing the element at position 0 results in overflow. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


id3ea9949051e 


2021-05-14 


4.6 


CVE-2021-29535 
CONFIRM 
MISC 


a cdO/tensorfl 


a 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *tf.raw_ops.AvgPool3DGrad’ is 
vulnerable to a heap buffer overflow. The 


L450) assumes that the ‘orig_input_shape’ and “grad” tensors 
have similar first and last dimensions but does not check that this 
assumption is validated. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/d80ffha9702dc19d1 Goa 


2021-05-14 


4.6 


CONFIRM 
MISC 


<= 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a null pointer dereference by 
providing an invalid ‘permutation’ to 
‘tf.raw_ops.SparseMatrixSparseCholesky’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/O080f1 
L86) fails to properly validate the input arguments. Although 
*Validatelnputs* is called and there are checks in the body of this 
function, the code proceeds to the next line in ‘Validatelnputs” 
since 


L48) is a macro that only exits the current function. Thus, the first 
validation condition that fails in “Validatelnputs will cause an early 
return from that function. However, the caller will continue 
execution from the next line. The fix is to either explicitly check 
*context->status() or to convert Validatelnputs’ to return a 
*Status*. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


84 168aa6062/tensorfl 


CVE-2021-29530 


MISC 


19e257589F78hBffb 7 5debf5 
*OP_REQUIRES ‘(https://github.com/tensorflow/tensorflow/blob/080f 2@22H6588f/8b3ffhB5debSONie8dd6062/tensar 


1c] 








google -- tensorflow 











‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a heap buffer overflow in 
‘tf.raw_ops.QuantizedResizeBilinear by manipulating input values 
so that float rounding results in off-by-one error in accessing 
image elements. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/44b71486c0143f68b56c34e2d01 el 46ee445134a/tenso 


L66) computes two integers (representing the upper and lower 
bounds for interpolation) by ceiling and flooring a floating point 
value. For some values of ‘in’, ‘interpolation->upper[i]) might be 
smaller than ‘interpolation->lower[i]’. This is an issue if 
‘interpolation->upper[i] is capped at ‘in_size-1° as it means that 
‘interpolation->lower[i] points outside of the image. Then, in the 
interpolation 


code(https://github.com/tensorflow/tensorflow/blob/44b7f486c0143168b56c34e2d0 


L264), this would result in heap buffer overflow. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 











4.6 


e146ee445 


CVE-2021-29529 
MISC 
CONFIRM 


1 34a/tensorflow/core/| 








if 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. If the ‘splits’ argument of ~RaggedBincount’ does not 
specify a valid 


*SparseTensor (https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTens 


then an attacker can trigger a heap buffer overflow. This will cause 
a read from outside the bounds of the ‘splits’ tensor buffer in the 
implementation of the ‘RaggedBincount™ 


op(https://github.com/tensorflow/tensorflow/blob/8b677d79167 799f/ 1242 1idbf&044 


L433). Before the ‘for loop, ‘batch_idx’ is set to 0. The user 
controls the ‘splits’ array, making it contain only one element, 0. 
‘Thus, the code in the ‘while’ loop would increment ‘batch_idx” 
and then try to read ‘splits(1)’, which is outside of bounds. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are 
also affected. 


YY 


CVE-2021-29512 


76e@2654 1 SEAR E GRIM w/core/kerh 


MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
*QuantizedReshape’ by passing in invalid thresholds for the 
quantization. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba36 


L55) assumes that the 2 arguments are always valid scalars and 
tries to access the numeric value directly. However, if any of these 
tensors is empty, then *.flat<T>() is an empty buffer and 
accessing the element at position 0 results in overflow. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


4.6 


a5e53d4e74d5de6729933e/tensg 


CVE-2021-29536 
CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.MaxPool3DGradGrad’ is vulnerable to a heap buffer 
overflow. The 


implementation(https://github.com/tensorflow/tensorflow/blob/596c)5a159b6fbb9e 


L696) does not check that the initialization of ‘Pool3dParameters’ 
completes successfully. Since the 


constructor(https://github.com/tensorflow/tensorflow/blob/S96c05a 159pGiphyeadca 4 Ob3fiy 53b 


L88) uses “OP_REQUIRES* to validate conditions, the first 
assertion that fails interrupts the initialization of ‘params’, making 
it contain invalid data. In turn, this might cause a heap buffer 
overflow, depending on default initialized values. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


9ca10b3f77 


-2021-2957| 
low 


MISC 


63b7244fa1 e9/tensorfl 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
*QuantizedResizeBilinear by passing in invalid thresholds for the 
quantization. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/507 11 
L706) assumes that the 2 arguments are always valid scalars and 
tries to access the numeric value directly. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


818d2e61ccce 
2021-05-14 


12591eeb4 


4.6 


CONFIRM 
MISC 


1dt9Baba26-226/8shsorfl 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow to occur in 
*Conv2DBackpropFilter’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd94Bf924aa8cd62f87dbb7c3da/tensoffl 


L497) computes the size of the filter tensor but does not validate 
that it matches the number of elements in ‘filter_sizes’. Later, 
when reading/writing to this buffer, code uses the value computed 
here, instead of the number of elements in the tensor. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 





2021-05-14 








supported range. 





4.6 


CVE-2021-29540 
CONFIRM 
MISC 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger an integer division by zero 
undefined behavior in ‘tf.raw_ops.QuantizedBiasAdd’. This is 
because the implementation of the Eigen 
kernel(https://github.com/tensorflow/tensorflow/blob/61bca8bd5bag} 
L849) does a division by the number of elements of the smaller 
input (based on shape) without checking that this is not zero. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


¥468b2d97435d 
2021-05-14 


SEER =SaeEEEE 


fafcdf2b856ZAds/ Ri SbABiG6ore/k: 


4.6 


MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
‘tf.raw_ops.SparseSplit’. This is because the 


L530) accesses an array element based on a user controlled 
offset. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/699btf/5d961 f0abfdes} 


2021-05-14 


oo 


a3876e6d2CNEB-HOAISABHS6rflow 


4.6 


= 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can write outside the bounds of heap 
allocated arrays by passing invalid arguments to 
*tf.raw_ops.Dilation2DBackpropInput’. This is because the 


L322) does not validate before writing to the output array. The 
values for “h_out’ and ‘w_out’ are guaranteed to be in range for 
*out_backprop’ (as they are loop indices bounded by the size of 
the array). However, there are no similar guarantees relating 
*h_in_max*/'w_in_max* and ‘in_backprop’. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/afd95fe65f1 5aea4d4) 


2021-05-14 


SEE Cee 


4.6 


8d0a219136fc4a63a573d/tensorfl 


CVE-2021-29566 
MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger undefined behavior by binding to 
null pointer in “tf.raw_ops.ParameterizedTruncatedNormal’. This is 
because the 


does not validate input arguments before accessing the first 
element of ‘shape’. If shape’ argument is empty, then 
*shape_tensor.flat<T>()° is an empty array. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/3f6feddfef6f57e7682 


2021-05-14 


OS 


0b48166c2 FAVES pobiansortl 


4.6 


2 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.MaxPoolGradWithArgmax can cause reads outside of 
bounds of heap allocated data if attacker supplies specially crafted 
inputs. The 


L130) assumes that the last element of ‘boxes’ input is 4, as 
required by [the op] 


Since this is not checked attackers passing values less than 4 can 
write outside of bounds of heap allocated objects and cause 
memory corruption. If the last dimension in ‘boxes> is less than 4, 
accesses similar to ‘tboxes(b, bb, 3) will access data outside of 
bounds. Further during code execution there are also writes to 
these indices. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/31bd4026304677faa 


(https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBound ingBaxesv2). 


a0b77602c6154171b9aect/tensar 


ICVE-2021-29571 
MISC 
CONFIRM 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.MaxPool3DGradGrad’ exhibits undefined behavior by 
dereferencing null pointers backing attacker-supplied empty 
tensors. The 


L703) fails to validate that the 3 tensor inputs are not empty. If any 
of them is empty, then accessing the elements in the tensor 
results in dereferencing a null pointer. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 


implementation(https://github.com/tensorflow/tensorflow/blob/72fe7 


2021-05-14 








range. 








92967e7fd2523434 2068800007200 62 95/Fdnso 


4.6 





CONFIRM 
MISC 
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learning. The implementation of 
TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e 
L401) has undefined behavior due to dereferencing a null pointer 
google -- tensorflow in corner cases that result in optimizing a node with no inputs. The |} 2021-05-14 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 


8aa3fc9aa7Aed79595/tensorflow/c 
CVE-2021-29616 
4.6 CONFIRM 

MISC 


‘TensorFlow is an end-to-end open source platform for machine | 








learning. The validation in ‘tf.raw_ops.QuantizeAndDequantizeV2° 
allows invalid values for ‘axis’ argument:. The 
validation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e661 7738554 
L77) uses ‘||’ to mix two different conditions. If ‘axis_ < -1° the 
condition in “OP_REQUIRES*’ will still be true, but this value of 
“axis_~ results in heap underflow. This allows attackers to 
read/write to other data on the heap. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


255d77f08e60ee0808/tensorflow/¢ 


CVE-2021-29610 
4.6 CONFIRM 
MISC 


a 


google -- tensorflow 2021-05-14 








‘TensorFlow is an end-to-end open source platform for machine 

learning. Calling TF operations with tensors of non-numeric types 

when the operations expect numeric tensors result in null pointer 

dereferences. The conversion from Python array to C++ 
array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e35hs3q909 13 4f5Gh7 Ibe 
L169) is vulnerable to a type confusion. The fix will be included in = 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 

TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 

‘TensorFlow 2.1.4, as these are also affected and still in supported 

range. 


cad Hoard Anon 


CONFIRM 


google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *tf.io.decode_raw’ produces 
incorrect results and crashes the Python interpreter when 
combining ‘fixed_length’ and wider datatypes. The 
implementation of the padded 
Vversion(https://github.com/tensorflow/tensorflow/blob/1d8903e5b16)7ed0432077a3ib6e462daf781d1 fe/tensorflow/con 
is buggy due to a confusion about pointer arithmetic rules. First, 
ithe code 
computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b/1 67ed043207 7a3db6e462daf781d1fe/tensorflow/e 
the width of each output element by dividing the ‘fixed_length” 
value to the size of the type argument. The ‘fixed_length’ 
argument is also used to determine the size needed for the output 
tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b16 /ed0432077a3d Se462daf7 Fd Hestensoydjow/core 
L79). This is followed by reencoding is 
code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b1674d0432097 asp e462dat76 IAF Rens arflow/core k 
L94). The erroneous code is the last line above: it is moving the a 
‘out_data’ pointer by ‘fixed_length * sizeof(T) bytes whereas it 
only copied at most ‘fixed_length’ bytes from the input. This 
results in parts of the input not being decoded into the output. 
Furthermore, because the pointer advance is far wider than 
desired, this quickly leads to writing to outside the bounds of the 
backing data. This OOB write leads to interpreter crash in the 
reproducer mentioned here, but more severe attacks can be 
mounted too, given that this gadget allows writing to periodically 
placed locations in memory. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of ‘tf.raw_ops.FusedBatchNorm is 
vulnerable to a heap buffer overflow. If the tensors are empty, the 
same implementation can trigger undefined behavior by 
dereferencing null pointers. The 

implementation (https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1 365f1 Padcce848dir1 bf89fdd4c7/tensorflp’ 
fails to validate that ‘scale’, ‘offset’, ‘mean’ and ‘variance’ (the 


[oy 


a 


_ 


google -- tensorflow 








last two only when required) all have the same number of CVE-2021-29583 
google -- tensorflow elements as the number of channels of *x’. This results in heap 2021-05-14 4.6 MISC 
out of bounds reads when the buffers backing these tensors are CONFIRM 


indexed past their boundary. If the tensors are empty, the 
validation mentioned in the above paragraph would also trigger 
and prevent the undefined behavior. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. TFLite's convolution 


code(https://github.com/tensorflow/tensorflow/blob/09c73bca7d648e96 1dd058982 


has multiple division where the divisor is controlled by the user 
and not checked to be non-zero. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


2d91a8322 
4.6 


a9d45/tensorflow/lite/Ke 
CVE-2021-29594 
MISC 

CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘BatchToSpaceNd’ TF Lite 
operator is vulnerable to a division by zero 


error(https://github.com/tensorflow/tensorflow/blob/b5ed552fe5589aee8bd8b191 


L82). An attacker can craft a model such that one dimension of 
the “block’ input is 0. Hence, the corresponding value in 
*block_shape’ is 0. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


44a06995 7H 18 A/tsnsoriigwdl e/ke 


2021-05-14 | 4.6 


= 


MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The fix for CVE-2020-15209(https://cve.mitre.org/cgi- 
bin/cvename.cgi?name=CVE-2020-15209) missed the case when 
the target shape of ‘Reshape’ operator is given by the elements of 
a 1-D tensor. As such, the fix for the 


vulnerability(https://github.com/tensorflow/tensorflow/blob/9c1dc92()d2B4 S8Bdac9d27 HH.H396' 


L1074) allowed passing a null-buffer-backed tensor with a 1D 
shape. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


ICVE-2021-29592 
(MbS26743/tensorflow 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. TFlite graphs must not have loops between nodes. 
However, this condition was not checked and an attacker could 
craft models that would result in infinite loop during evaluation. In 
certain cases, the infinite loop would be replaced by stack 
overflow due to too many recursive calls. For example, the “While” 


could be tricked into a scneario where both the body and the loop 
subgraphs are the same. Evaluating one of the subgraphs means 
calling the ‘Eval’ function for the other and this quickly exhaust all 
stack space. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. Please consult our security 
guide(https://github.com/tensorflow/tensorflow/blob/master/SECUR 
for more information regarding the security model and how to 
contact us with issues and questions. 


2021-05-14 


TY.md) 


oer nsoffl 
4.6 


CONFIRM 
MISC 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Optimized pooling implementations in TFLite fail to check 
that the stride arguments are not 0 before calling 
*ComputePaddingHeightWidth (https://github.com/tensorflow/tensa 
Since users can craft special models which will have ‘params- 
>stride_{height,width} be zero, this will result in a division by zero. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


rflow/blob/3f24: 
2021-05-14 


4.6 


icd93254641 ERROR BN Zddd 1 a3b4B; 


MISC 
CONFIRM 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The reference implementation of the “GatherNd° TFLite 
operator is vulnerable to a division by zero 


error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00ep1 79cda2s4elecitensordgudlite/ker 


An attacker can craft a model such that ‘params’ input would be 
an empty tensor. In turn, ~params_shape.Dims(.)° would be zero, 
in at least one dimension. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 








these are also affected and still in supported range. 


2021-05-14 





4.6 





MISC 
CONFIRM 
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‘TensorFlow is an end-to-end open source platform for machine 
learning. The optimized implementation of the *TransposeConv" 
'TFLite operator is [vulnerable to a division by zero error] 
(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b7/]3bcf9c00e017 
L5222). An attacker can craft a model such that ‘stride_{h,w} 2021-05-14 
values are 0. Code calling this function must validate these 
arguments. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The ‘Prepare’ step of the ‘“SpaceToDepth’ TFLite 
operator does not check for 0 before 
division(https://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f1 0ed8a1 7dbI 
google -- tensorflow L67). An attacker can craft a model such that ‘params- 2021-05-14 
>block_size’ would be zero. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the “EmbeddingLookup’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/e4b29809543b250bc9b19678e 
google -- tensorflow L74). An attacker can craft a model such that the first dimension of|} 2021-05-14 
the ‘value’ input is 0. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
'TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a heap buffer overflow in Eigen 
implementation of ‘tf.raw_ops.BandedTriangularSolve’. The 
implementation(https://github.com/tensorflow/tensorflow/blob/eccb7jec454e66177 
L278) calls ‘ValidatelnputTensors’ for input validation but fails to 
validate that the two tensors are not empty. Furthermore, since 
*OP_REQUIRES* macro only stops execution of current function 


r 
= 


da284e7e7| Ransasigwitelsernel 


4.6 MISC 
CONFIRM 


google -- tensorflow 


ee: 








67596497 7 (esate sa GER lite/k: 
4.6 CONFIRM 
MISC 


—_ i> 








4776299dd 6 VEAR6ASerASaAHite/kKe 
4.6 CONFIRM 
MISC 


——  —————— i————— 








554a255d7/f08e60ee0808/tensort 


CVE-2021-29612 


_ after setting ‘ctx->status()° to a non-OK value, callers of helper “05. CONFIRM 
Gopgie = tensoriow functions that use ‘OP_ REQUIRES' must check value of ‘ctx- 2021-05-14 | 48 ivisc 
>status() before continuing. This doesn't happen in this op's MISC 





implementation(https://github.com/tensorflow/tensorflow/blob/eccb7jec454e66 1 7738554a255d 7 f08e60ee0808/tensorf 
hence the validation that is present is also not effective. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 


supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite computation for size of output after padding, 
*ComputeOutSize ‘(https://github.com/tensorflow/tensorflow/blob/O0¢9692ae7b1671 
L55), does not check that the ‘stride’ argument is not 0 before 
doing the division. Users can craft special models such that 
*ComputeOutSize’ is called with ‘stride’ set to 0. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘DepthToSpace’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00eE 
google -- tensorflow L69). An attacker can craft a model such that ‘params- 2021-05-14 
>block_size’ is 0. The fix will be included in TensorFlow 2.5.0. We 
will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. A specially crafted TFLite model could trigger an OOB 
read on heap in the TFLite implementation of 
*Split_V(https://github.com/tensorflow/tensorflow/blob/c59c37e7b40563967da813 
If ‘axis_value’ is not a value between 0 and 
*NumDimensions(input)’, then the “SizeOfDimension” 21-05-14 
function(https://github.com/tensorflow/tensorflow/blob/102b211d89Afave4at84547 
L150) will access data outside the bounds of the tensor shape 
array. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


pg gd 








983569e5dBde5565843d500cf/ten: 


CVE-2021-29585 
4.6 MISC 
CONFIRM 


google -- tensorflow 2021-05-14 
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179cda284e7eEHensb AOaGhte/ker 
4.6 CONFIRM 
MISC 
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50fe20b2114da683/tensorflow/lite/ 
CVE-2021-29606 
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‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the “SpaceToBatchNd’ TFLite 
operator is [vulnerable to a division by zero error] 

(https://github.com/tensorflow/tensorflow/blob/412c7d9bb8f8a762chb266c9e7 3bfa 
L83). An attacker can craft a model such that one dimension of 


72) 


65f29aac8/tensorfawiliteékemels 








Gepgio = tensoniow: the ‘block’ input is 0. Hence, the corresponding value in nee = ora 
*plock_shape’ is 0. The fix will be included in TensorFlow 2.5.0. —<——= 
We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the “SVDF* TFLite operator is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/7f283ff806b203/| f407db64c4d3edcda8fbOfotaaseihawi Stern al: 
google -- tensorflow L102). An attacker can craft a model such that ‘params->rank” 2021-05-14 4.6 CONFIRM 
would be 0. The fix will be included in TensorFlow 2.5.0. We will MISC 


also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘Split’ TFLite operator is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/e2752089ef/7ce9bcf3db0ec618 
google -- tensorflow L65). An attacker can craft a model such that ‘num_splits’ would 2021-05-14 
be 0. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


bd23ea11 9d OWHAsori RAGE fe/kefrr 
4.6 MISC 
CONFIRM 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the “OneHot TFLite operator is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/f61c57bd42587be108ec787f4 
L72). An attacker can craft a model such that at least one of the 2024-05-14 
dimensions of ‘indices’ would be 0. In turn, the ‘prefix_dim_size 
value would become 0. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


4 


9639057 9fbRReltensorfiquutite/ ker 


4.6 CONFIRM 
MISC 


google -- tensorflow 


_ eee EE EEE Ee 








‘TensorFlow is an end-to-end open source platform for machine 
learning. A specially crafted TFLite model could trigger an OOB 
write on heap in the TFLite implementation of 
*ArgMin’/ArgMax (https://github.com/tensorflow/tensorflow/blob/102b211d892f3ab) 
L59). If ‘axis_value’ is not a value between 0 and 
google -- tensorflow *NumDimensions(input)’, then the condition in the ‘if is never 2021-05-14 
true, so code writes past the last valid element of ‘output_dims- 
>data’. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


14845a72047809b39cc65ab/ten 
CVE-2021-29603 
4.6 CONFIRM 

MISC 


an 








‘TensorFlow is an end-to-end open source platform for machine 
learning. Incomplete validation in ‘“SparseAdd’ results in allowing 
attackers to exploit undefined behavior (dereferencing null 
pointers) as well as write outside of bounds of heap allocated 
data. The 
implementation(https://github.com/tensorflow/tensorflow/blob/656e4673b14acd783 
has a large set of validation for the two sparse tensor inputs (6 


dc778867f%4916c6d1cac2/tensorf 
CVE-2021-29607 


tensors in total), but does not validate that the tensors are not MISC 
google: sensonlow empty or that the second dimension of **_indices’ matches the es 46 MISC 
size of corresponding **_shape’. This allows attackers to send CONFIRM 


tensor triples that represent invalid sparse tensors to abuse code 
assumptions that are not protected by validation. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Due to lack of validation in 
‘tf.raw_ops.RaggedTensorToTensor’, an attacker can exploit an 
undefined behavior if input arguments are empty. The 


implementation(https://github.com/tensorflow/tensorflow/blob/656e4673b14acd783pbdc7 78867 fIeY Beb6a1eaeanénsort 


L360) only checks that one of the tensors is not empty, but does 
not check for the other ones. There are multiple DCHECK™ 
validations to prevent heap OOB, but these are no-op in release 
builds, hence they don't prevent anything. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick these commits on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


4. 


MISC 
MISC 
CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Incomplete validation in ‘“SparseAdd’ results in allowing 
attackers to exploit undefined behavior (dereferencing null 
pointers) as well as write outside of bounds of heap allocated 
data. The 


implementation(https://github.com/tensorflow/tensorflow/blob/656e4673b14acd783 


has a large set of validation for the two sparse tensor inputs (6 
tensors in total), but does not validate that the tensors are not 
empty or that the second dimension of **_indices’ matches the 
size of corresponding **_shape’. This allows attackers to send 
tensor triples that represent invalid sparse tensors to abuse code 
assumptions that are not protected by validation. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


6 
dc778867f%4916c6d1cac2/tensorf 
4.6 


CVE-2021-29609 
MISC 

CONFIRM 

MISC 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.FractionalAvgPoolGrad’ is vulnerable to a heap buffer 
overflow. The 


implementation(https://github.com/tensorflow/tensorflow/blob/dcba7]96a28364d6d7 


O03f6fe7 33qBYE2ZREAa7AGBIE sor 



























































within a trusted session. 











google -- tensorflow fails to validate that the pooling sequence arguments have enough} 2021-05-14 4.6 MISC 
elements as required by the ‘out_backprop’ tensor shape. The fix CONFIRM 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL 71 acca 
hexagon -- intergraph_g\!nius injection via the GiPWorkflow/Service/DownloadPublicFile id 2021-05-14 5 MISC 
parameter. MISC 
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 
1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain 
; : sensitive information, caused by the failure to properly enable CVE-2021-20564 
ibm -- cloud_pak_for_security HTTP Strict Trans ; ah eis 2021-05-14 4.3 XF 
port Security. An attacker could exploit this CONFIRM 
vulnerability to obtain sensitive information using man in the eee = tee 
middle techniques. IBM X-Force ID: 199235. 
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 
; : 1.6.0.0, and 1.6.0.1 could allow a privileged user to inject inject CVE-2020-4811 
ibm -- cloud_pak_for_security ae , 3 2021-05-14 4 XF 
malicious data using a specially crafted HTTP request due to CONFIRM 
improper input validation. caren 
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 
1.6.0.0, and 1.6.0.1 uses a protection mechanism that relies on CVE-2021-20565 
ibm -- cloud_pak_for_security the existence or values of an input, but the input can be modified 2021-05-14 5 XF 
by an untrusted actor in a way that bypasses the protection CONFIRM 
mechanism. IBM X-Force ID: 199236. 
IBM Planning Analytics Local 2.0 could allow an attacker to obtain CVE-2020-4985 
ibm -- planning_analytics_local sensitive information due to accepting body parameters in a query.|| 2021-05-14 i] CONFIRM 
IBM X-Force ID: 192642. XF 
ibm IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could CVE-2021-20429 
radar liser behavior analviies disclose sensitive information due an overly permissive cross- 2021-05-14 5 CONFIRM 
q = = = y domain policy. IBM X-Force ID: 196334. XF 
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could 
pane allow a remote attacker to obtain sensitive information when a CVE-2021-20393 
gradar_user_behavior_analytics detailed technical error message is returned in the browser. This 2021-05-14 5 CONFIRM 
= = = information could be used in further attacks against the system. XF 
IBM X-Force ID: 196001. 
IBM QRadar User Behavior Analytics 1.0.0 through 4.0.1 is 
‘ome vulnerable to cross-site scripting. This vulnerability allows users to CVE-2021-20392 
radar 1ser behavior analvics embed arbitrary JavaScript code in the Web UI thus altering the 2021-05-14 4.3 CONFIRM 
q = = = 5 intended functionality potentially leading to credentials disclosure XF 
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5/24/2021 Vulnerability Summary for the Week of May 17, 2021 
Primary oar P Cvss Source & Patch 
Vendor -- Product Bescnprion Published | Score Info 
In ImageMagick versions before 7.0.9-0, there are outside the 
imagemagick -- imagemagick range of representable values of type ‘float’ at 2021-05-14 4.3 pe 
MagickCore/quantize.c. (ganas 
Password generator feature in Kaspersky Password Manager was 
not completely cryptographically strong and potentially allowed an CVE-2020-27020 
kaspersky -- password_manager attacker to predict generated passwords in some cases. An 2021-05-14 5 iT. rl 
a : é MISC 
attacker would need to know some additional information (for 
example, time of password generation). 
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory CVE-2020-20222 
feast corruption vulnerability in the /nova/bin/sniffer process. An MISC 
Ballets ROUR AROS authenticated remote attacker can cause a Denial of Service ever vee 4 MISC 
(NULL pointer dereference). FULLDISC 
Mikrotik RouterOs stable 6.47 suffers from a memory corruption CVE-2020-20227 
a vulnerability in the /nova/bin/diskd process. An authenticated MISC 
pbsielu=-naunaras remote attacker can cause a Denial of Service due to invalid eve ne ne 4 FULLDISC 
memory access. MISC 
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory CVE-2020-20237 
er corruption vulnerability in the /nova/bin/sniffer process. An MISC 
see eens authenticated remote attacker can cause a Denial of Service due || 2021-05-18 4 MISC 
ito improper memory access. FULLDISC 
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory CVE-2020-20236 
fer ae corruption vulnerability in the /nova/bin/sniffer process. An “05. MISC 
mniStGU a shaUNTOs authenticated remote attacker can cause a Denial of Service due evel tes 4 MISC 
ito improper memory access. FULLDISC 
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption jee 
mikrotik -- routeros vulnerability in the log process. An authenticated remote attacker || 2021-05-18 4 FULLDISC 
can cause a Denial of Service due to improper memory access. MISC. 
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption CVE-2020-20246 
Penaye vulnerability in the mactel process. An authenticated remote MISC 
pllkrehe.--reeUianOs attacker can cause a Denial of Service due to improper memory cuales 4 FULLDISC 
access. MISC 
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from an CVE-2020-20214 
ae assertion failure vulnerability in the btest process. An MISC 
mono U ies ROMISHOS authenticated remote attacker can cause a Denial of Service due || 2021-05-18 4 MISC 
to an assertion failure via a crafted packet. FULLDISC 
Mikrotik RouterOs prior to stable 6.47 suffers from a memory CVE-2020-20220 
care aD corruption vulnerability in the /nova/bin/bfd process. An “On. MISC 
STU = ENO authenticated remote attacker can cause a Denial of Service pulse 4 FULLDISC 
(NULL pointer dereference). MISC 
= The settings page of the Redirect 404 to parent WordPress plugin : ' 
ace nk arent before 1.3.1 did not properly sanitise the tab parameter before 2021-05-14 4.3 a 
AUS _{O_p outputting it back, leading to a reflected Cross-Site Scripting issue ee 
The settings page of the Select All Categories and Taxonomies, 
mooveagency -- Change Checkbox to Radio Buttons WordPress plugin before 2021-05-14 43 CVE-2021-24287 
select_all_categories_and_taxonomiss8.2bHahget phapkip saicitisadibe batiqaesameter before outputting — CONFIRM 
it back, leading to a reflected Cross-Site Scripting issue 
By exploiting a vulnerability in NPort IA5150A/IA5250A Series 
‘ : before version 1.5, a user with “Read Only” privilege level can CVE-2020-27149 
moxa -- nport_ia5150a_firmware : panes 2021-05-14 4 MISC 
send requests via the web console to have the device’s MISC 
configuration changed. ee 
Cleartext transmission of sensitive information via Moxa Service in 
NPort IASOOOA series serial devices. Successfully exploiting the CVE-2020-27185 
moxa -- nport_ia5150a_firmware vulnerability could enable attackers to read authentication data, 2021-05-14 5 MISC 
device configuration, and other sensitive data transmitted over MISC 
Moxa Service. 
arisol In the Redirection for Contact Form 7 WordPress plugin before CVE-2021-24280 
Hearecton for: contact fort. 7 2.3.4, any authenticated user, such as a subscriber, could use the || 2021-05-14 6.5 CONFIRM 
paca = = import_from_debug AJAX action to inject PHP objects. MISC 
In the Redirection for Contact Form 7 WordPress plugin before 
2.3.4, any authenticated user, such as a subscriber, could use the 
querysol -- Various AJAX actions in the plugin to do a variety of things. For peer 
aa : 2021-05-14 6.5 MISC 
redirection_for_contact_form_7 example, an attacker could use wpcf7r_reset_settings to reset the CONFIRM 
plugin’s settings, wpcf7r_add_action to add actions to a form, and paperanian 
more. 
In the Redirection for Contact Form 7 WordPress plugin before CVE-2021-24278 
uerysol -- 
quel ee 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX} 2021-05-14 5 MISC 
redirection_for_contact_form_7 
si = = action to retrieve a valid nonce for any WordPress action/function. CONFIRM 
In the Redirection for Contact Form 7 WordPress plugin before 
querysol -- 2.3.4, low level users, such as subscribers, could use the 2024-05-14 4 esa a 
redirection_for_contact_form_7 import_from_debug AJAX action to install any plugin from the ee MISC. 


WordPress repository. 
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remote arbitrary code via the keyword parameter. 


Primary ae P Cvss Source & Patch 
Vendor -- Product Bescmpron eubiiehed Score Info 
In the Redirection for Contact Form 7 WordPress plugin before 
querysol -- 2.3.4, any authenticated user, such as a subscriber, could use the 2024-05-14 ri nae’ 
redirection_for_contact_form_7 delete_action_post AJAX action to delete any post on a target i pares 
site CONFIRM 
Squirrelly is a template engine implemented in JavaScript that 
works out of the box with ExpressJS. Squirrelly mixes pure 
template data with engine configuration options through the 
Express render API. By overwriting internal configuration options CVE-2021-32819 
squirrelly -- squirrelly remote code execution may be triggered in downstream 2021-05-14 6.8 MISC 
applications. There is currently no fix for these issues as of the MISC 
publication of this CVE. The latest version of squirrelly is currently 
8.0.8. For complete details refer to the referenced GHSL-2021- 
023. 
TP-Link Archer C1200 firmware version 1.13 Build 2018/01/24 CVE-2020-17891 
tp-link -- archer_c1200_firmware rel.52299 EU has a XSS vulnerability allowing a remote attacker 2021-05-14 4.3 MISC... 
to execute arbitrary code. a 
: A heap buffer overflow read was discovered in upx 4.0.0, because CVE-2020-24119 
Ups pralect— Ups the check in p_Ix_elf.cpp is not perfect. staal | 5.8 CONFIRM 
Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the WooCommerce 
Conditional Marketing Mailer WordPress plugin before 1.5.2, to 
ae ae naar cinec anal install any plugin (including a specific version) from the WordPress||_ 2021-05-14 6.5 ao 
= g_ repository, as well as activate arbitrary plugin from then blog, leeesarueires=ca 
which helps attackers install vulnerable plugins and could lead to 
more critical vulnerabilities like RCE. 
Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the Visitor Traffic 
Real Time Statistics WordPress plugin before 2.12, to install any 
ae real time statistics _ Plugin (including a specific version) from the WordPress 2021-05-14 6.5 a 
= Se repository, as well as activate arbitrary plugin from then blog, pene aaenaeri 
which helps attackers install vulnerable plugins and could lead to 
more critical vulnerabilities like RCE. 
A vulnerability found in libxml2 in versions before 2.9.11 shows 
that it did not propagate errors while parsing XML mixed content, CVE-2021-3537 
ai causing a NULL dereference. If an untrusted XML document was “05. MISC 
een parsed in recovery mode and post-validated, the flaw could be oll 43 FEDORA 
used to crash the application. The highest threat from this MLIST 
vulnerability is to system availability. 
Back to top 
Low Vulnerabilities 
Primary ae P Cvss Source & Patch 
Vendor -- Product ResenpHon Published Score Info 
A XSS Vulnerability in /uploads/dede/action_search.php in CVE-2020-16632 
dedecms -- dedecms DedeCMS V5.7 SP2 allows an authenticated user to execute 2021-05-15 a5 wes 


MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The API of ‘tf.raw_ops.SparseCross’ allows 
combinations which would result in a “CHECK’-failure and denial 
of service. This is because the 


L116) is tricked to consider a tensor of type “tstring’ which in fact 
contains integral elements. Fixing the type confusion by 
preventing mixing ‘(DT_STRING’ and ‘DT_INT64° types solves 
this issue. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


implementation(https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1 io 


2:1) 


ROGERdBS92besHens¢ 


CONFIRM 
MISC 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in ‘tf.raw_ops.CTCGreedyDecoder’. This is because 
the 


implementation(https://github.com/tensorflow/tensorflow/blob/1615440b17b364b8 


L50) has a ‘CHECK_LT’ inserted to validate some invariants. 
When this condition is false, the program aborts, instead of 
returning a valid error to the user. This abnormal termination can 
be weaponized in denial of service attacks. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 











2021-05-14 





eb06f43d0 


2.4 


8 7381f1460a65/tensorf 
CVE-2021-29543 
MISC 

CONFIRM 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. Specifying a negative dense shape in 
‘tf.raw_ops.SparseCountSparseOutput results in a segmentation 
fault being thrown out from the standard library as ‘std::vector™ 
invariants are broken. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/8f7b6Dee8c0206a2c 


L213) assumes the first element of the dense shape is always 
positive and uses it to initialize a ‘BatchedMap<T> (i.e., 
*std::vector<absl::flat_hash_map<int64,T>> (https://github.com/ten 
data structure. If the ‘shape’ tensor has more than one element, 
*num_batches’ is the first value in ‘shape’. Ensuring that the 
*dense_shape’ argument is a valid tensor shape (that is, all 
elements are non-negative) solves this issue. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2 and TensorFlow 2.3.3. 


2021-05-14 
isorflow/tensorfl 





2a 


9802e3a4d | bb55d2bc0624/tensorf 


CVE-2021-29521 
MISC 


w/blob/8f7 bRO@AFIEAGa2c99802e 





google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. An attacker can access data outside of bounds of heap 
allocated array in ‘tf.raw_ops.UnicodeEncode’. This is because 
the 


implementation(https://github.com/tensorflow/tensorflow/blob/472c If1gaso0G3405 


assumes that the ‘input_value’/‘input_splits’ pair specify a valid 
sparse tensor. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


3767904 16h 


991. 
I 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
‘tf.raw_ops.RaggedTensorToTensor’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad 


L222) uses the same index to access two arrays in parallel. Since 
the user controls the shape of the input arguments, an attacker 
could trigger a heap OOB access when ‘parent_output_index’ is 
shorter than ‘row_split’. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


2021-05-14 | 


3.6 


54115c03cece54f6a1977b/tenso 


CVE-2021-29560 
CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.MaxPoolGradWithArgmax can cause reads outside of 
bounds of heap allocated data if attacker supplies specially crafted 
inputs. The 


implementation(https://github.com/tensorflow/tensorflow/blob/ac32$eaa3870491 ababc147822cd04e9 1a790643/tensor 


L50) assumes that the ‘input_min® and ‘input_max* tensors have 
at least one element, as it accesses the first element in two 
arrays. If the tensors are empty, °.flat<T>() is an empty object, 
backed by an empty array. Hence, accesing even the Oth element 
is a read outside the bounds. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


3.6 


CVE-2021-29569 
CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.MaxPoolGradWithArgmax can cause reads outside of 
bounds of heap allocated data if attacker supplies specially crafted 
inputs. The 


implementation (https://github.com/tensorflow/tensorflow/blob/ef0cOpasesAbadg] e 


L1017) uses the same value to index in two different arrays but 
there is no guarantee that the sizes are identical. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


6729ddc42 


10 


CONFIRM 


sorfl 





google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 


learning. Due to lack of validation in “tf.raw_ops.Dequantize’, an 
attacker can trigger a read from outside of bounds of heap 
allocated data. The 


implementation(https://github.com/tensorflow/tensorflow/blob/2600$593aa94b1 74 2f34dc22ce8Se VELZ026 abyaBtensarl 


L131) accesses the ‘min_range’ and ‘max_range’ tensors in 
parallel but fails to check that they have the same shape. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 





supported range. 


2021-05-14 








3.6 








MISC 
CONFIRM 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementations of the ‘Minimum’ and ‘Maximum’ 
'TFLite operators can be used to read data outside of bounds of 
heap allocated objects, if any of the two input tensor arguments 
are empty. This is because the broadcasting 
implementation(https://github.com/tensorflow/tensorflow/blob/0d45¢ 
L56) indexes in both tensors with the same index but does not 
validate that the index is within bounds. The fix will be included in 
'TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


a 468944 baby) befgch0e0 


E-2024 - 


CONFIRM 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite implementation of concatenation is 
vulnerable to an integer overflow 
issue(https://github.com/tensorflow/tensorflow/blob/7b7352a724b69 
L76). An attacker can craft a model such that the dimensions of 
one of the concatenation input overflow the values of ‘int’. TFLite 


0b11bfaae2cd 


O_O 


4bc3907daf6285/tensorflow/lite/ke 


CVE-2021-29601 


= 








‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


google -- tensorflow uses ‘int’ to represent tensor dimensions, whereas TF uses 2021-05-14 3:6 CONFIRM 
*int64°. Hence, valid TF models can trigger an integer overflow MISC 
when converted to TFLite format. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. Incomplete validation in ‘tf.raw_ops.CTCLoss’ allows an 
attacker to trigger an OOB read from heap. The fix will be included a 
google -- tensorflow in TensorFlow 2.5.0. We will also cherrypick these commits on 2021-05-14 3.6 MISC. 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Calling ‘tf.raw_ops.RaggedTensorToVariant with 
arguments specifying an invalid ragged tensor results in a null 
pointer dereference. The implementation of 
*RaggedTensorToVariant™ 


L40) does not validate that the ragged tensor argument is non- 
empty. Since ‘batched_ragged’ contains no elements, 
*batched_ragged.splits’ is a null vector, thus 
*patched_ragged.splits(0)° will result in dereferencing ‘nullptr’. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


operations(https://github.com/tensorflow/tensorflow/blob/904b3926@d1c6c70380d 


2021-05-14 21 


sig Soe 


13d282d248a 72 Ghaa |4ensarfio 


CONFIRM 
MISC 


Wi 


= 





google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can read data outside of bounds of heap 
allocated buffer in “tf.raw_ops.QuantizeAndDequantizeV3°. This is 
because the 


does not validate the value of user supplied ‘axis* attribute before 
using it to index in the array backing the ‘input’ argument. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/11 ff7f80667e6490d751 74aa6bf5 
2021-05-14 3.6 


BSR OMe or#l 
MISC 
CONFIRM 


D\ 





google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. A malicious user could trigger a division by 0 in 
*Conv3D° implementation. The 


L145) does a modulo operation based on user controlled input. 
Thus, when ‘filter’ has a 0 as the fifth element, this results in a 
division by 0. Additionally, if the shape of the two tensors is not 
valid, an Eigen assertion can be triggered, resulting in a program 
crash. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 











affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/42034603003965bffac51ae171b5 
2021-05-14 2A 








11801565e002d/tenso} 


CVE-2021-29517 
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5/24/2021 Vulnerability Summary for the Week of May 17, 2021 
Prima’ ae, : CVSS Source & Patch 
Vendor -- Proalick Descmpton Publiehed Score Info 
‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in converting sparse tensors to CSR Sparse 
matrices. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e18 )f65e7790739/tensonfk 
does a double redirection to access an element of an array CVE-2021-29545 
google -- tensorflow allocated on the heap. If the value at ‘indices(i, 0)" is such that 2021-05-14 CONFIRM 
‘indices(i, 0) + 1° is outside the bounds of ‘csr_row_ptr’, this MISC 


results in writing outside of bounds of heap allocated data. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


=P 





google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. The ‘tf.raw_ops.Conv3DBackprop™ operations fail to 
validate that the input tensors are not empty. In turn, this would 
result in a division by 0. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/a91bh59769f19146d 


L450) does not check that the divisor used in computing the shard 
size is not zero. Thus, if attacker controls the input sizes, they can 
trigger a denial of service via a division by zero error. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


a0c200602443 78682 of, do sensorfl 
24 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.QuantizedConv2D’. This is because the 


L259) does a division by a quantity that is controlled by the caller. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


= ale 


2021-05-14 


Bee 


MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a dereference of a null pointer in 
‘tf.raw_ops.StringNGrams’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc¢ 


L74) does not fully validate the ‘data_splits’ argument. This would 
result in 
*ngrams_data’(https://github.com/tensorflow/tensorflow/blob/1cdd4; 
L110) to be a null pointer when the output would be computed to 
have 0 or negative size. Later writes to the output tensor would 
then cause a null pointer dereference. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


Fags hee! ac 


59e468d9781741ac7d01bf/tensorf 


S9e4hhd97 Hine 


-20215 4 
| 
CONFIRM 


sorfl 





google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. Calling 


‘tf.raw_ops.ImmutableConst (https://www.tensorflow.org/api_docs/python/tf/raw_o 


with a “dtype’ of ‘tf.resource’ or ‘tf.variant’ results in a segfault in 
the implementation as code assumes that the tensor contents are 
pure scalars. We have patched the issue in 
4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release 
‘TensorFlow 2.5.0 containing the patch. TensorFlow nightly 
packages after this commit will also have the issue resolved. If 
using “tf.raw_ops.lmmutableConst’ in code, you can prevent the 
segfault by inserting a filter for the “dtype’ argument. 


2021-05-14 





s/Immutable 


2.1 


Const) 


CVE-2021-29539 
CONFIRM 
MISC 





google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 


learning. An attacker can cause a division by zero to occur in 
*Conv2DBackpropFilter’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd94Bf924aa8cd62f87dbb7c3da/tensoffl 


L522) computes a divisor based on user provided data (i.e., the 
shape of the tensors given as arguments). If all shapes are empty 
then ‘work_unit_size’ is 0. Since there is no check for this case 
before division, this results in a runtime exception, with potential to 
be abused for a denial of service. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 





2021-05-14 





range. 








2.1 





CVE-2021-29538 
MISC 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in ‘tf.raw_ops.SparseConcat’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b90 


takes the values specified in “shapes[0] as dimensions for the 
output shape. The “TensorShape” 


constructor(https://github.com/tensorflow/tensorflow/blob/6f989689()c4c703ae0a0g 


L188) uses a ‘CHECK’ operation which triggers when 


*InitDims (https://github.com/tensorflow/tensorflow/blob/6f9896890¢4 eDaaAaebaleB 45394246 e26 [M3 299/tensorflow/c 


L296) returns a non-OK status. This is a legacy implementation of 
the constructor and operations should use 
*BuildTensorShapeBase’ or “AddDimWithStatus® to prevent 
*CHECK’-failures in the presence of overflows. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 





a6c222cbce794c39703e87/tensart 


5394086e2e1e523299/tensorflow, 


CVE-2021-29534 


CONFIRM 


= 





google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a ‘CHECK 
failure by passing an empty image to 
tf.raw_ops.DrawBoundingBoxes.’. This is because the 


L165) uses ‘CHECK_** assertions instead of OP_REQUIRES* to 
validate user controlled inputs. Whereas ‘OP_REQUIRES* allows 
returning an error condition back to the user, the ‘CHECK_* 
macros result in a crash if the condition is false, similar to ‘assert’. 
In this case, ‘height’ is 0 from the ‘images’ input. This results in 
max_box_row_clamp’ being negative and the assertion being 
falsified, followed by aborting program execution. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range 


2021-05-14 


f343b5d55f9 1/ten 


CVE-2021-29533 
CONFIRM 
MISC 


implementation (https://github.com/tensorflow/tensorflow/blob/ea34a1 =p 404; 


sorflc 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a CHECK’ fail in PNG encoding 
by providing an empty input tensor as the pixel data. This is 
because the 


L60) only validates that the total number of pixels in the image 
does not overflow. Thus, an attacker can send an empty matrix for 
encoding. However, if the tensor is empty, then the associated 
buffer is ‘nullptr’. Hence, when calling 
*png::Writelmage ToBuffer (https://github.com/tensorflow/tensorflow, 
L93), the first argument (i.e., ‘image.flat<T>().data()’) is NULL’. 
This then triggers the ‘CHECK_NOTNULL in the first line of 
*png::Writelmage ToBuffer (https://github.com/tensorflow/tensorflow, 
L349). Since ‘image’ is null, this results in “abort being called 
after printing the stacktrace. Effectively, this allows an attacker to 
mount a denial of service attack. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


DpgaIsdsSyS 


blob/e312e079, 


coaggasooHieeat 0841525017 cb: 


CONFIRM 


implementation(https://github.com/tensorflow/tensorflow/blob/e312¢0791ce486a8069d23 110841 525c6Ff7c3289/tensorf 
ce486a80c9d23110841525c6f7cB: 





google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.QuantizedMul’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/55900e96 1ed4a23b 


L198) does a division by a quantity that is controlled by the caller. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


CONFIRM 


839202491 
ZA 





google -- tensorflow 





‘TensorFlow is an end-to-end open source platform for machine 





learning. Passing invalid arguments (e.g., discovered via fuzzing) 
to “tf.raw_ops.SparseCountSparseOutput’ results in segfault. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 








supported range. 





2021-05-14 











CVE-2021-29619 


pee] Ee 


MISC 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.Conv2D’. This is because the 


implementation (https://github.com/tensorflow/tensorflow/blob/988087bd83f144af1 408 7fe4feceeRAZ5GHe3I-29426sorf| 


L263) does a division by a quantity that is controlled by the caller. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


2.1 


[o) 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in ‘tf.raw_ops.AddManySparseToTensorsMap’. This 
is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae 


takes the values specified in “sparse_shape’ as dimensions for 
the output shape. The ‘TensorShape” 


constructor(https://github.com/tensorflow/tensorflow/blob/6f989689()c4c703ae0a0g§ 5394086e4e| a5Ziea9Hensarflow 


30sb86e2dh4s4299[tensorflow (er 


L188) uses a ‘CHECK’ operation which triggers when 
*InitDims (https://github.com/tensorflow/tensorflow/blob/6f9896890¢ 
L296) returns a non-OK status. This is a legacy implementation of 
the constructor and operations should use 
*BuildTensorShapeBase’ or “AddDimWithStatus’ to prevent 
*CHECK’-failures in the presence of overflows. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


4brosabdattba 


a0845394086e2e1e523299/tensan 


= 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
*tf.raw_ops.Conv2DBackpropFilter’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/496c4630e51c1a478f095b084329eveeaPad dBebAGn sort 


does a modulus operation where the divisor is controlled by the 
caller. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


al 


MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can force accesses outside the bounds of 
heap allocated arrays by passing in invalid tensor values to 
‘tf.raw_ops.RaggedCross’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/efea0Bb38fb8d3b8 1 762237dc85e 


L487) lacks validation for the user supplied arguments. Each of 
the above branches call a helper function after accessing array 
elements via a **_list[next_*]’ pattern, followed by incrementing 
the “next_** index. However, as there is no validation that the 
*next_** values are in the valid range for the corresponding **_list’ 
arrays, this results in heap OOB reads. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


3.6 


b79cc5fc6e87/tensorfic 


ICVE-2021-29532 
MISC 
CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow by passing 
crafted inputs to ‘tf.raw_ops.StringNGrams’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc¢ 


L185) fails to consider corner cases where input would be split in 
such a way that the generated tokens should only contain padding 
elements. If input is such that ‘num_tokens’ is 0, then, for 
*data_start_index=0° (when left padding is present), the marked 
line would result in reading ‘data[-1]°. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


CVE-2021-29542 
CONFIRM 
MISC 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. Passing a complex argument to ‘tf.transpose’ at the 
same time as passing ‘conjugate=True’ argument results in a 
crash. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 











2021-05-14 








CVE-2021-29618 
MISC 

CONFIRM 

MISC 

MISC 
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commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


Prima’ ae, : CVSS Source & Patch 
Vendor -- Prsiick Bescnpton eubilehed Score Info 
‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by exploiting a 
*CHECK’-failure coming from the implementation of 
‘tf.raw_ops.RFFT’. Eigen code operating on an empty matrix can CVE-2021-29563 
google -- tensorflow trigger on an assertion and will cause program termination. The fix |} 2021-05-14 Zell CONFIRM 
will be included in TensorFlow 2.5.0. We will also cherrypick this MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a null pointer dereference in the 
implementation of ‘tf.raw_ops.EditDistance’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/7986b542f9ffdc9ca 


L159) has incomplete validation of the input parameters. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


6255631 f7 cHOWEA20G5 179866 orflov 


21 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a segfault and denial of service 
via accessing data outside of bounds in 
‘tf.raw_ops.QuantizedBatchNormWithGlobalNormalization’. This 
is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/55a97{caa9e99c7f37 


L189) assumes the inputs are not empty. If any of these inputs is 
empty, °.flat<T>() is an empty buffer, so accessing the element at 
index 0 is accessing data outside of bounds. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


Obbbeb4 14qCat52B8a5a29S4en sof 


2.1 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a runtime division by zero error 
and denial of service in 
‘tf.raw_ops.QuantizedBatchNormWithGlobalNormalization’. This 
is because the 


implementation (https://github.com/tensorflow/tensorflow/blob/S5a9 fcaage 3c 7447 


does not validate all constraints specified in the op's 


contract(https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchN 


The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


Obbbeb4 14 


rmWithGlob, 


soffl 


NEM tion). 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a runtime division by zero error 
and denial of service in 
‘tf.raw_ops.QuantizedBatchNormWithGlobalNormalization’. This 
is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/6f26b 
L295) computes a modulo operation without validating that the 
divisor is not zero. Since ‘vector_num_elements’ is determined 
based on input 
shapes(https://github.com/tensorflow/tensorflow/blob/6f26b3f34 182 
L544), a user can trigger scenarios where this quantity is 0. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 








supported range. 


2021-05-14 


101479c264f2a02000880d8d 








Bf3418201479c264f2a0200880d8dF151c/tensorfl 


24) 





[o) 


CVE-2021-29549 
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MISC 
f151c/tensorflow/core| 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a runtime division by zero error 
and denial of service in ‘tf.raw_ops.FractionalAvgPool’. This is 

because the 


implementation(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3 


L89) computes a divisor quantity by dividing two user controlled 
values. The user controls the values of ‘input_size[i]’ and 
*pooling_ratio_[i] (via the ‘value.shape() and ‘pooling_ratio” 
arguments). If the value in ‘input_size[i] is smaller than the 
*pooling_ratio_[i]’, then the floor operation results in 
‘output_size[i] being 0. The (DCHECK_GT* line is a no-op 
outside of debug mode, so in released versions of TF this does 
not trigger. Later, these computed values are used as 


2021-05-14 


arguments(https://github.com/tensorflow/tensorflow/blob/acc8ee69ipf4 6f92a3f1f11 


L99) to 


*GeneratePoolingSequence ‘(https://github.com/tensorflow/tensorflqw/blob/acc8ee 


L108). There, the first computation is a division in a modulo 
operation. Since ‘output_length’ can be 0, this results in runtime 
crashing. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


f 


———————————————————————sS==> 


2.1 


9f5f46f92a3} 


£11230f49cHac266f10c/tensorflow/ 


CVE-2021-29550 
CONFIRM 
MISC 


30f49c6ac266f10c/tensorflow/core: 


I1f11230f49c6ac266F] 


a 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 


*MatrixTriangularSolve (https://github.com/tensorflow/tensorflow/blgb/8cae746d84 


L240) fails to terminate kernel execution if one validation condition 


i 


9c7dda52943273540G854 05 6e7) 


= 








invalidated and this would result in process termination. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


ee 


Bongle = tensoniow fails. The fix will be included in TensorFlow 2.5.0. We will also cee (em |= 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, (aeecmememearacets 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by controlling 
the values of ‘num_segments’ tensor argument for 
*UnsortedSegmentJoin’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/a2a6Q7db15c7cd01d/54d37e5448d72a13491bdb/tensor 
L93) assumes that the ‘num_segments’ tensor is a valid scalar. CVE-2021-29552 
google -- tensorflow Since the tensor is empty the ‘CHECK’ involved in *.scalar<T>()()’ |] 2021-05-14 24 CONFIRM 
that checks that the number of elements is exactly 1 will be MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.DenseCountSparseOutput . This is 
because the 
implementation(https://github.com/tensorflow/tensorflow/blob/efff01 
L127) computes a divisor value from user data but does not check 
that the result is 0 before doing the division. Since ‘data’ is given 
by the ‘values* argument, ‘num_batch_elements’ is 0. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are 
also affected. 


f3b2d8ef6141 
2021-05-14 


oo 


2.1 


a30c806faf|lG VP9 2624 120556rflow, 


CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.FusedBatchNorm’. This is because 
the 


implementation(https://github.com/tensorflow/tensorflow/blob/828f34627484 1 fa750) 


L297) performs a division based on the last dimension of the *x” 
tensor. Since this is controlled by the user, an attacker can trigger 
a denial of service. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


2021-05-14 


iar 


f7020e88caBUE22625 72MBten sonflc 


24 


CONFIRM 
MISC 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.Reverse’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dact 


L76) performs a division based on the first dimension of the tensor 
argument. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 





affected and still in supported range. 


2021-05-14 
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We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


Prima ae, : CVSS Source & Patch 
Vendor -- Prsiick Bescnpton eubliehed Score Info 
‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.SparseMatMul’. The division by 0 
Soale <= tensoniow occurs deep in Eigen code because the ‘b’ tensor is empty. The 2021-05-14 24 a 
goog fix will be included in TensorFlow 2.5.0. We will also cherrypick a POMeInhd 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow ——= == 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via ‘CHECK’- CVE-2021-29617 
fail in “tf.strings.substr with invalid arguments. The fix will be MISC 
google -- tensorflow included in TensorFlow 2.5.0. We will also cherrypick this commit 2021-05-14 Zi CONFIRM 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and MISC 
‘TensorFlow 2.1.4, as these are also affected and still in supported MISC 
range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by exploiting a 
*CHECK’-failure coming from the implementation of CVE-2021-29562 
google -- tensorflow ‘tf.raw_ops.IRFFT-. The fix will be included in TensorFlow 2.5.0. 2021-05-14 sel MISC 


CONFIRM 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by exploiting a 
*CHECK’-failure coming from “tf.raw_ops.LoadAndRemapMatrix’. 
This is because the 


L222) assumes that the “ckpt_path’ is always a valid scalar. 
However, an attacker can send any other tensor as the first 
argument of ‘LloadAndRemapMatrix’. This would cause the rank 
*CHECK’ in ‘scalar<T>()()° to trigger and terminate the process. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad 


2021-05-14 


CVE-2021-29561 
MISC 
CONFIRM 


54115c03cece54f6a1977b/tensorf 
24 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Due to lack of validation in 
‘tf.raw_ops.SparseDenseCwiseMul , an attacker can trigger denial 
of service via ‘CHECK’-fails or accesses to outside the bounds of 
heap allocated data. Since the 


L80) only validates the rank of the input arguments but no 
constraints between 


an attacker can abuse them to trigger internal ‘CHECK’ assertions 
(and cause program termination, denial of service) or to write to 
memory outside of bounds of heap allocated tensor buffers. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/3817¢a2f7a681a783 


dimensions(https://www.tensorflow.org/api_docs/python/tf/raw_ops: = 


bb0912702 


ICVE-2021-29567 
CONFIRM 
MISC 


a1 34bfe3b4d84/tensort 








google -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in caused by an integer overflow in constructing a 
new tensor shape. This is because the 


L70) builds a dense shape without checking that the dimensions 
would not result in overflow. The ‘TensorShape” 


L188) uses a ‘CHECK’ operation which triggers when 
*InitDims (https://github.com/tensorflow/tensorflow/blob/6f9896890¢ 
L296) returns a non-OK status. This is a legacy implementation of 
the constructor and operations should use 
*BuildTensorShapeBase’ or “AddDimWithStatus* to prevent 
*CHECK’-failures in the presence of overflows. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 











range. 


implementation(https://github.com/tensorflow/tensorflow/blob/0908¢2f2397c09933 





b901b067f6495a5b96760b/tensonfl 


constructor(https://github.com/tensorflow/tensorflow/blob/6f989689)c4c703ae0a08 5394086e4e| a5Zi2a94ensarflow 


4€76saQ0a0b4 sosbase2deavszeutensorfiow 
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‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 

*ParseAttrValue’ (https://github.com/tensorflow/tensorflow/blob/c22q88d6ff33031aafl 1 Se48aasiqean/ 4ed795galtenso 
L453) can be tricked into stack overflow due to recursion by giving 2021-05-14 24 MISC... 
in a specially crafted input. The fix will be included in TensorFlow =r CONFIRM 

2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, === 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Incomplete validation in ‘SparseReshape’ results in a 
denial of service based on a ‘CHECK’-failure. The 
implementation (https://github.com/tensorflow/tensorflow/blob/e87bo1¢eBacreb 74 6Sahgast4 
has no validation that the input arguments specify a valid sparse — 
tensor. The fix will be included in TensorFlow 2.5.0. We will also (eae 
cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, 
as these are the only affected versions. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite code for allocating “TFLitelntArray’s is 
vulnerable to an integer overflow 
issue(https://github.com/tensorflow/tensorflow/blob/4ceffae632721452bf3501b736 
L27). An attacker can craft a model such that the ‘size’ multiplier 
is so large that the return value overflows the ‘int’ datatype and 
oe negative. In turn, this results in invalid value being given 2024-05-14 
‘malloc’ (https://github.com/tensorflow/tensorflow/blob/4ceffae6327 2 1e52bf3501b7 
L52). In this case, ‘ret->size’ would dereference an invalid pointer. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a null pointer dereference in the 
implementation of “tf.raw_ops.SparseFillEmptyRows.. This is 
because of missing 
validation(https://github.com/tensorflow/tensorflow/blob/fdc82089d406e281c628a9, 
L231) that was covered under a ‘TODO’. If the ‘dense_shape’ 2024-05-14 
tensor is empty, then ‘dense_shape_t.vec<>() would cause a null 
pointer dereference in the implementation of the op. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘DepthwiseConv’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c8/l 8198a5b2c0c 
google -- tensorflow L288). An attacker can craft a model such that ‘input''s fourth 2021-05-14 
dimension would be 0. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite implementation of hashtable lookup is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c8/l 8198a5b2c0c 
google -- tensorflow L115) An attacker can craft a model such that ‘values’'s first 2021-05-14 
dimension would be 0. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Due to lack of validation in 
‘tf.raw_ops.CTCBeamSearchDecoder’, an attacker can trigger 
denial of service via segmentation faults. The 
implementation(https://github.com/tensorflow/tensorflow/blob/a747@8f8e4efbda4d 
google -- tensorflow L79) fails to detect cases when the input tensor is empty and 2021-05-14 
proceeds to read data from a null buffer. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 
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google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.FractionalMaxPoolGrad’ triggers an undefined 
behavior if one of the input tensors is empty. The code is also 
vulnerable to a denial of service attack as a ‘CHECK’ condition 
becomes false and aborts the process. The 


implementation(https://github.com/tensorflow/tensorflow/blob/1 69084888450 ce4 88 


fails to validate that input and output tensors are not empty and 
are of the same rank. Each of these unchecked assumptions is 
responsible for the above issues. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


rat 


fdegopSSdgetnsenetsGsbitensont 


MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of ‘tf.raw_ops.ReverseSequence’ 
allows for stack overflow and/or *CHECK’-fail based denial of 
service. The 


implementation(https://github.com/tensorflow/tensorflow/blob/5b3b07 1975e01 f0d2 


L118) fails to validate that “seq_dim* and ‘batch_dim* arguments 
are valid. Negative values for ‘seq_dim’ can result in stack 
overflow or ‘CHECK ’-failure, depending on the version of Eigen 
code used to implement the operation. Similar behavior can be 
exhibited by invalid values of ‘batch_dim’. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


0c928b2a8f901cd53b90a7/tensorfl 


21 


CVE-2021-29575 
CONFIRM 
MISC 








google -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.MaxPoolGradWithArgmax is vulnerable to a division 
by 0. The 


implementation(https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2 


L1034) fails to validate that the batch dimension of the tensor is 
non-zero, before dividing by this quantity. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


eS  — — 


27621b7ed 


24 


WGO/2023-R9iR/ Genser 


CONFIRM 
MISC 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *tf.raw_ops.SdcaOptimizer’ 
triggers undefined behavior due to dereferencing a null pointer. 
The 


implementation(https://github.com/tensorflow/tensorflow/blob/60a44c8b6 192a4699 


does not validate that the user supplied arguments satisfy all 


S| eee 


2e2709a264Rg fos Aa pangaiensort 




















ensures that haml-coffee would not sanitize template inputs that 
may result in reflected Cross Site Scripting attacks against 
downstream applications. There is currently no fix for these issues 
as of the publication of this CVE. The latest version of haml-coffee 
is currently 1.14.1. For complete details refer to the referenced 





GHSL-2021-025. 











google — tensorflow constraints expected by the se aiid 21 ee 

op(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SdcaOptjmizer). os 

The fix will be included in TensorFlow 2.5.0. We will also 

cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 

TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 

affected and still in supported range. 

‘TensorFlow is an end-to-end open source platform for machine 

learning. An attacker can trigger a denial of service via a 

*CHECK’-fail in “tf.raw_ops.QuantizeAndDequantizeV4Grad’. This 

is because the 

implementation(https://github.com/tensorflow/tensorflow/blob/9507%c145b5a7a43e 04614400512 3,209 84 9RD5/ nsgn 

Bodie 2 lensoniow L163) does not validate the rank of the ‘input_* tensors. In turn, 2024-05-14 24 MISC... 

goog this results in the tensors being passes as they are to = ARIE 

*QuantizeAndDequantizePerChannelGradientlmpl (https://github.cgm/tensorflow/t nsorflow/bla boty sb5a7a43e 

L306). However, the ‘vec<T>* method, requires the rank to 1 and 

triggers a ‘CHECK’ failure otherwise. The fix will be included in 

‘TensorFlow 2.5.0. We will also cherrypick this commit on 

'TensorFlow 2.4.2 as this is the only other affected version. 

haml-coffee is a JavaScript templating solution. haml-coffee mixes 

pure template data with engine configuration options through the 

Express render API. More specifically, haml-coffee supports 

overriding a series of HTML helper functions through its 

configuration options. A vulnerable application that passes user 

controlled request objects to the haml-coffee template engine may CVE-2021-32818 
h F introduce RCE vulnerabilities. Additionally control over the RANE 

aml-coffee_project -- haml-coffee : : . 2021-05-14 3.5 CONFIRM 
escapeHtml parameter through template configuration pollution MISC 
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Primary ae F Cvss Source & Patch 
Vendor -- Product Bescmpron eubllehed | Score Info 
ibm -- IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 allows CVE-2021-20391 
radar liser behavior analvies web pages to be stored locally which can be read by another user || 2021-05-14 2.1 XE 
q = = = y on the system. IBM X-Force ID: 195999. CONFIRM 
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote 
attackers to execute arbitrary code by injecting commands into the CVE-2020-18167 
laghenoms'=Jacbancms "Homepage Introduction" field of component "admin/info.php? eevee 35 MISC 
shuyu". 
‘The tab GET parameter of the settings page is not sanitised or CVE-2021-24283 
pickplugins -- accordion escaped when being output back in an HTML attribute, leading to || 2021-05-14 3:5 CONFIRM 
a reflected XSS issue. re 
‘The RSS for Yandex Turbo WordPress plugin before 1.30 did not 
properly sanitise the user inputs from its DjiNfDUN,NFP,D°D, 05. CVE-2021-24277 
MUSH! test yandex Sue settings tab before outputting them back in the page, leading to Bea oes 38 CONFIRM 
authenticated stored Cross-Site Scripting issues 
In YFCMF v2.3.1, there is a stored XSS vulnerability in the CVE-2020-23689 
MiG == yicey comments section of the news page. alerne tt | 3.8 MISC 
Back to top 
Severity Not Yet Assigned 
Primary ae j Cvss Source & Patch 
Vendor -- Product Peacnplan Published Score Info 
When subscribing using AcyMailing, the 'redirect’ parameter isn't 
acymailing -- acymailing properly sanitized. Turning the request from POST to GET, an 2021-05-17 not yet |CVE-2021-24288 
attacker can craft a link containing a potentially malicious landing calculated |CONFIRM 
page and send it to the victim. 
Admidio is a free, open source user management system for 
websites of organizations and groups. In Admidio before version 
4.0.4, there is an authenticated RCE via .phar file upload. A php é : 
no — web shell can be uploaded via the Documents & Files upload CVE-2021-82630 
admidio -- admidio 3 eae not yet MISC 
feature. Someone with upload permissions could rename the php || 2021-05-20 calculated |CONFIRM 
shell with a .phar extension, visit the file, triggering the payload for MISC. 
a reverse/bind shell. This can be mitigated by excluding a .phar ———= 
file extension to be uploaded (like you did with .php .phtml .php5 
etc). The vulnerability is patched in version 4.0.4. 
Adminer is open-source database management software. A cross- 
site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 
affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in 
most cases prevented by strict CSP in all modern browsers. The CVE-2021-29625 
: F only exception is when Adminer is using a ‘pdo_~ extension to eae 
adminer -- adminer : : ee : fj : not yet |MISC 
communicate with the database (it is used if the native extensions || 2021-05-19 calculated MISC 
are not enabled). In browsers without CSP, Adminer versions CONFIRM 
4.6.1 to 4.8.0 are affected. The vulnerability is patched in version ae oer 
4.8.1. As workarounds, one can use a browser supporting strict 
CSP or enable the native PHP extensions (e.g. mysqli’) or 
disable displaying PHP errors (‘display_errors’). 
The elliptic curve cryptography (ECC) hardware accelerator, part 
of the ARM® TrustZone® CryptoCell 310, contained in the CVE-2021-29415 
alin == Hustaoneccryptccell NordicSemiconductor nRF52840 through 2021-03-29 has anon- | 2021-05-21 | "O'S! misc 
constant time ECDSA implemenation. This allows an adversary to MISC 
recover the private ECC key used during an ECDSA operation. 
An Improper Access Control vulnerability in the logging 
bitdefender -- component of Bitdefender Endpoint Security Tools for Windows e : 
endpoint_security_tools versions prior to 6.6.23.320 allows a regular user to learn the 2021-05-18 iat sa ee 
scanning exclusion paths. This issue was discovered during ee 
external security research. 
Uncontrolled Search Path Element vulnerability in the openssl 
bitdefender -- component as used in Bitdefender GravityZone Business Security x : 
gravityzone_business_security allows an attacker to load a third party DLL to elevate privileges. 2021-05-18 tae . a — 
This issue affects Bitdefender GravityZone Business Security ———<—$—7 
versions prior to 6.6.23.329. 
A file upload vulnerability was discovered in the file path /bl- 
bludit -- bludit plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker 2021-05-21 not yet |CVE-2020-23765 
is able to gain Administrator rights they will be able to use unsafe calculated |MISC 
plugins to upload a backup file and control the server. 
CVE-2017-17677 
bmnc=aremedy mid ter01863 BMC Remedy 9.1SP3 is affected by authenticated code nok vet MISC 
y_mid_ter_9.'Sp execution. Authenticated users that have the right to create 2021-05-19 aacied MISC 
reports can use BIRT templates to run code. MISC 
MISC 
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restrictions during execution of these commands. A successful 
exploit could allow the attacker to elevate privileges from 
dnasadmin and execute arbitrary commands on the underlying 
operating system as root. 




















Primary ae F Cvss Source & Patch 
Vendor -- Product Bescmpron eubiiehed Score Info 
CVE-2017-17678 
ae BMC Remedy Mid Tier 9.1SP3 is affected by cross-site scripting MISC 
bmc -- remedy_mid_tier_9.1sp3__—_l(¢ss) 4 DOM-based cross-site scripting vulnerability was 2021-05-19 | Tol vet Misc 
discovered in a legacy utility. MISC 
MISC 
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file CVE-2017-17674 
bic remedy mid-tier 01803 inclusion. Due to the lack of restrictions on what can be targeted, not vet MISC 
y_mid_ter_Y.'sp ithe system can be vulnerable to attacks such as system 2021-05-19 eecucied MISC 
fingerprinting, internal port scanning, Server Side Request Forgery MISC 
(SSRF), or remote code execution (RCE). MISC 
BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking. eee 
bmc -- remedy_mid_tier_9.1sp3 Remote logging can be accessed by unauthenticated users, 2021-05-19 not yet MISC 
allowing for an attacker to hijack the system logs. This data can calculated MISC 
include user names and HTTP data. 
MISC 
boostnote -- boostnote In Boostnote 0.12.1, exporting to PDF contains opportunities for 2021-05-18 not yet |CVE-2020-19924 
XSS attacks. calculated |MISC 
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, 
BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have CVE-2020-15522 
bounty_castle -- bounty_castle a timing issue within the EC math library that can expose 2021-05-20 not yet MISC 
information about the private key when an attacker is able to calculated |MISC 
observe timing information for the generation of multiple MISC 
deterministic ECDSA signatures. 
= The unprivileged user portal part of CentOS Web Panel is affected 05. not yet CVE-2021-31316 
Bentos = WebAanel by a SQL Injection via the 'idsession' HTTP POST parameter. vealed calculated |MISC 
‘The unprivileged user portal part of CentOS Web Panel is affected 
Gentes — web_panel by a Command Injection vulnerability leading to root Remote Code}} 2021-05-18 be ae a 
Execution. calculale ee 
Use-after-Free vulnerability in cflow 1.6 in the void call(char CVE-2020-23856 
SOW Cow *name, int line) function at src/parser.c, which could cause a 2021-05-18 Paw MISC 
denial of service via the pointer variable caller->callee. MISC 
Multiple vulnerabilities in Cisco DNA Spaces Connector could 
allow an authenticated, remote attacker to perform a command 
injection attack on an affected device. These vulnerabilities are 
due to insufficient input sanitization when executing affected 
cisco -- dna_spaces_connector commands. A high-privileged attacker could exploit these 2021-05-22 Pie sae — 
vulnerabilities on a Cisco DNA Spaces Connector by injecting ————— 
crafted input during command execution. A successful exploit 
could allow the attacker to execute arbitrary commands as root 
within the Connector docker container. 
Multiple vulnerabilities in Cisco DNA Spaces Connector could 
allow an authenticated, remote attacker to perform a command 
injection attack on an affected device. These vulnerabilities are 
due to insufficient input sanitization when executing affected 
cisco -- dna_spaces_connector commands. A high-privileged attacker could exploit these 2021-05-22 Pe rae ao 
vulnerabilities on a Cisco DNA Spaces Connector by injecting pacereeecnn! 
crafted input during command execution. A successful exploit 
could allow the attacker to execute arbitrary commands as root 
within the Connector docker container. 
Multiple vulnerabilities in Cisco DNA Spaces Connector could 
allow an authenticated, local attacker to elevate privileges and 
execute arbitrary commands on the underlying operating system 
as root. These vulnerabilities are due to insufficient restrictions 
F during the execution of affected CLI commands. An attacker could not yet |CVE-2021-1557 
cisco ~dna_spaces_connector exploit these vulnerabilities by leveraging the insufficient 2021-05-22 | calculated |CISCO 
restrictions during execution of these commands. A successful 
exploit could allow the attacker to elevate privileges from 
dnasadmin and execute arbitrary commands on the underlying 
operating system as root. 
Multiple vulnerabilities in Cisco DNA Spaces Connector could 
allow an authenticated, local attacker to elevate privileges and 
execute arbitrary commands on the underlying operating system 
as root. These vulnerabilities are due to insufficient restrictions 
cisco -- dna_spaces_connector during the execution of affected CLI commands. An attacker could 2021-05-22 not yet |CVE-2021-1558 
exploit these vulnerabilities by leveraging the insufficient calculated |CISCO 
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A vulnerability in the web-based management interface of Cisco 
Finesse could allow an unauthenticated, remote attacker to 
redirect a user to an undesired web page. This vulnerability is due 
to improper input validation of the URL parameters in an HTTP 
request that is sent to an affected system. An attacker could 
exploit this vulnerability by persuading a user of the interface to 2021-05-22 
click a crafted link. A successful exploit could allow the attacker to 
cause the interface to redirect the user to a specific, malicious 
URL. This type of vulnerability is known as an open redirect and is 
used in phishing attacks that get users to unknowingly visit 
malicious sites. 


not yet |CVE-2021-1358 
calculated ||CISCO 


cisco -- finesse 








Multiple vulnerabilities in the web-based management interface of 
Cisco Finesse could allow an authenticated, remote attacker to 
conduct a cross-site scripting (XSS) attack against a user of the 
interface. These vulnerabilities are due to insufficient validation of 
user-supplied input by the web-based management interface of 
cisco -- finesse the affected software. An attacker could exploit these 
vulnerabilities by injecting malicious code into the web-based 
management interface and persuading a user to click a malicious 
link. A successful exploit could allow the attacker to execute 
arbitrary script code in the context of the affected interface or 
access sensitive, browser-based information. An attacker needs 
valid administrator credentials to inject the malicious script code. 


A vulnerability in the web UI of Cisco Modeling Labs could allow 
an authenticated, remote attacker to execute arbitrary commands 
with the privileges of the web application on the underlying 
operating system of an affected Cisco Modeling Labs server. This 
vulnerability is due to insufficient validation of user-supplied input 
cisco -- modeling_labs ito the web UI. An attacker could exploit this vulnerability by 
sending a crafted HTTP request to an affected server. A 
successful exploit could allow the attacker to execute arbitrary 
commands with the privileges of the web application, virl2, on the 
underlying operating system of the affected server. To exploit this 
vulnerability, the attacker must have valid user credentials on the 
web UI. 


A vulnerability in the restricted shell of Cisco Evolved 
Programmable Network (EPN) Manager, Cisco Identity Services 
Engine (ISE), and Cisco Prime Infrastructure could allow an 
authenticated, local attacker to identify directories and write 
arbitrary files to the file system. This vulnerability is due to 

cisco -- multiple_products improper validation of parameters that are sent to a CLI command 
within the restricted shell. An attacker could exploit this 
vulnerability by logging in to the device and issuing certain CLI 
commands. A successful exploit could allow the attacker to 
identify file directories on the affected device and write arbitrary 
files to the file system on the affected device. To exploit this 
Vulnerability, the attacker must be an authenticated shell user. 


A vulnerability in the web-based management interface of Cisco 
Prime Infrastructure and Evolved Programmable Network (EPN) 
Manager could allow an authenticated, remote attacker to execute 
arbitrary commands on an affected system. The vulnerability is 
due to insufficient validation of user-supplied input to the web- 
based management interface. An attacker could exploit this 
Giseo:<: vulnerability by a oe crafted HTTP requests to the interface. A 
: ; successful bers Col d allow the attacker to execute arbitrary 
prime_infrastructure_and_evolved_pro rammab ery Rawork manager 

ving perating system (OS) with the 
permissions of a special non-root user. In this way, an attacker 
could take control of the affected system, which would allow them 
to obtain and alter sensitive data. The attacker could also affect 
the devices that are managed by the affected system by pushing 
arbitrary configuration files, retrieving device credentials and 
confidential information, and ultimately undermining the stability of 
the devices, causing a denial of service (DoS) condition. 


notyet |CVE-2021-1254 


2021 DS-22 calculated ||CISCO 








notyet CVE-2021-1531 


every ee calculated ||[CISCO 








not yet |CVE-2021-1306 


e02 I Oae2 calculated ||CISCO 








notyet |CVE-2021-1487 


enero e2 calculated |[CISCO 








Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 

cisco -- small_business supplied input. An attacker could exploit these vulnerabilities by 2021-05-22 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 


not yet |CVE-2021-1549 
calculated ||CISCO 
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cisco -- small_business 


Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 
supplied input. An attacker could exploit these vulnerabilities by 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
ithe device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 


2021-05-22 


not yet 
calculated 


CVE-2021-1555 
CISCO 








cisco -- small_business 


Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 
supplied input. An attacker could exploit these vulnerabilities by 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 


2021-05-22 


not yet 
calculated 


CVE-2021-1551 
CISCO 








cisco -- small_business 


Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 
supplied input. An attacker could exploit these vulnerabilities by 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 


2021-05-22 


not yet 
calculated 


CVE-2021-1552 
CISCO 








cisco -- small_business 


Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 
supplied input. An attacker could exploit these vulnerabilities by 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 


2021-05-22 


not yet 
calculated 


CVE-2021-1548 
CISCO 








cisco -- small_business 


Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 
supplied input. An attacker could exploit these vulnerabilities by 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 


2021-05-22 


not yet 
calculated 


CVE-2021-1553 
CISCO 








cisco -- small_business 








Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
‘These vulnerabilities are due to improper validation of user- 
supplied input. An attacker could exploit these vulnerabilities by 
sending crafted HTTP requests to the web-based management 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 





valid administrative credentials for the device. 








2021-05-22 





not yet 
calculated 





CVE-2021-1554 
CISCO 
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which may allow an attacker to execute arbitrary code. 














Prima ae F CVSS Source & Patch 
Vendor -- Prsiick Pescmpron Published Score Info 
Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
: P ‘These vulnerabilities are due to improper validation of user- 
Bipearat pial DUPIneeS supplied input. An attacker could exploit these vulnerabilities by 2021-05-22 sy Loe pee eee 
sending crafted HTTP requests to the web-based management calculated (CISCO 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
ithe device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 
Multiple vulnerabilities in the web-based management interface of 
certain Cisco Small Business 100, 300, and 500 Series Wireless 
Access Points could allow an authenticated, remote attacker to 
perform command injection attacks against an affected device. 
; ; ‘These vulnerabilities are due to improper validation of user- 
piece > Giiiall_Duelniees supplied input. An attacker could exploit these vulnerabilities by 2021-05-22 ie oe 
sending crafted HTTP requests to the web-based management calculated (CISCO 
interface of an affected system. A successful exploit could allow 
the attacker to execute arbitrary commands with root privileges on 
the device. To exploit these vulnerabilities, the attacker must have 
valid administrative credentials for the device. 
P ‘ ‘There is a cross site scripting vulnerability on CmsWing 1.3.7. 
ee ene This vulnerability (stored XSS) is triggered when visitors access 2021-05-17 SF ——————— 
the article module. calculated |MISC 
: : ‘There is a cross site scripting vulnerability on CmsWing 1.3.7. 
emswihg + emewing This vulnerability (stored XSS) is triggered when an administrator || 2021-05-17 || _Notyet _ |ICVE-2020-24992 
accesses the content management module. calculated (MISC 
Persistent cross-site scripting (XSS) in the web interface of 
Concerto through 2.3.6 allows an unauthenticated remote attacker CVE-2021-31930 
concerto -- concerto to introduce arbitrary JavaScript by injecting an XSS payload into 2021-05-19 not yet MISC... 
the First Name or Last Name parameter upon registration. When a calculated MISC 
privileged user attempts to delete the account, the XSS payload ra 
will be executed. 
An issue was discovered in Couchbase Server 6.x through 6.6.1. 
Couchbase_server — The Couchbase Server UI is insecurely logging session Paeiies in not yet se a 
couchbase_server ‘ ; : . : 2021-05-19 MISC 
= the logs. This allows for the impersonation of a user if the log files calculated MISC 
are obtained by an attacker before a session cookie expires. (meee 
In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 
couchbase_server -- 6.6.1, Common Table Expression queries were not correctly not vet CVE-2021-31158 
couchbase_server checking the user's permissions, allowing read-access to 2021-05-19 y MISC 
ae calculated 
resources beyond what those users were explicitly allowed to MISC 
access. 
An issue was discovered in Couchbase Server 6.5.x and 6.6.x 
through 6.6.1. When using the View Engine and Auditing is 
Couchbase_server — sa a crash eonaitina can fdepending on arace esate) not yet eee 
couchbase_server : : ae . 2021-05-19 MISC 
= cause an internal user with administrator privileges, @ns_server, calculated MISC 
to have its credentials leaked in cleartext in the ns_server.info.log ieee 
file. 
An issue was discovered in Couchbase Server 5.x and 6.x 
couchbase_server -- through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST not-vet CVE-2021-25644 
couchbase_server API can result in leaked authentication information being stored in || 2021-05-19 Baie MISC 
cleartext in the debug.log and info.log files, and is also shown in MISC 
the UI visible to administrators. 
An authentication brute-force protection mechanism bypass in CVE-2021-27342 
d-link -- dir-842_routers telnetd in D-Link Router model DIR-842 firmware version 3.0.2 2021-05-17 not yet MISC 
allows a remote attacker to circumvent the anti-brute-force cool- calculated |MISC 
down delay period via a timing-based side-channel attack CONFIRM 
Dell EMC XtremlO Versions prior to 6.3.3-8, contain a Cross-Site 
Request Forgery Vulnerability in XMS. A non-privileged attacker 
dell -- emc_xtremio could potentially exploit this vulnerability, leading to a privileged 2021-05-21 not yet CVE-2021-21549 
victim application user being tricked into sending state-changing calculated |CONFIRM 
requests to the vulnerable application, causing unintended server 
operations. 
Dell Wyse Windows Embedded System versions WIE10 LTSC 
dell -- ma af earlier eer an improper neha vulnerability. A ashes dann 
: ocal authenticated malicious user with low privileges ma not yet = - 
Wyse_windows_ embedded System potentially exploit this vulnerability to bipeee the otic eel ie =) sareaaed CONFIRM 
environment and perform unauthorized actions on the affected 
system. 
delta: industrial automation Delta Industrial Automation CNCSoft ScreenEditor Versions 
enesatt-screeneditor 1.01.28 (with ScreenEditor Version 1.01.2) and prior are 2021-05-16 not yet CVE-2021-22668 
= vulnerable to an out-of-bounds read while processing project files, calculated |MISC 
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This affects the package dns-packet before 5.2.2. It creates CVE-2021-23386 
dné-packaae = dnsspackage buffers with allocUnsafe and does not always fill them before not vet MISC 
P 9 P 9 forming network packets. This can expose internal application 2021-05-20 Seal MISC 
memory over unencrypted network when querying crafted invalid MISC 
domain names. MISC 
Weak Encoding for Password in DoraCMS v2.1.1 and earlier 
doracms -- doracms allows attackers to obtain sensitive information as it does not use 2021-05-20 not yet |}CVE-2020-18220 


a random salt or IV for its AES-CBC encryption, causes password 
encrypted for users to be susceptible to dictionary attacks. 


calculated ||MISC 








Draeger X-Dock Firmware before 03.00.13 has Hard-Coded CVE-2021-28111 








draeger -- x-dock_firmware . : : : not yet MISC 
aarti leading to remote code execution by an authenticated||_ 2021-05-20 calculated |CONFIRM 
. MISC 
draeder <edock fimware Draeger X-Dock Firmware before 03.00.13 has Active Debug notvet CVE-2021-28112 
9 = Code on a debug port, leading to remote code execution by an 2021-05-20 Seneca MISC 
authenticated attacker. CONFIRM 








Access bypass vulnerability in of Drupal Core Workspaces allows 
an attacker to access data without correct permissions. The 
Workspaces module doesn't sufficiently check access permissions 
when switching workspaces, leading to an access bypass 

drupal -- core_workspaces vulnerability. An attacker might be able to see content before the 
site owner intends people to see the content. This vulnerability is 
mitigated by the fact that sites are only vulnerable if they have 
installed the experimental Workspaces module. This issue affects 
Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 
8.9.6; 9.0.X versions prior to 9.0.6. 


A vulnerability has been found in multiple revisions of Emerson 
Rosemount X-STREAM Gas Analyzer. The affected applications 
emerson -- rosemont_x- do not validate webpage input, which could allow an attacker to 
stream_gas_analyzer inject arbitrary HTML code into a webpage. This would allow an 
attacker to modify the page and display incorrect or undesirable 
data. 


A vulnerability has been found in multiple revisions of Emerson 
emerson -- rosemont_x- Rosemount X-STREAM Gas Analyzer. The affected applications 
stream_gas_analyzer utilize persistent cookies where the session cookie attribute is not |} 2021-05-20 
properly invalidated, allowing an attacker to intercept the cookies 
and gain access to sensitive information. 


A vulnerability has been found in multiple revisions of Emerson 
emerson -- rosemont_x- Rosemount X-STREAM Gas Analyzer. The affected products 
stream_gas_analyzer utilize a weak encryption algorithm for storage of sensitive data, 2021-05-20 
which may allow an attacker to more easily obtain credentials 
used for access. 


A vulnerability has been found in multiple revisions of Emerson 
Rosemount X-STREAM Gas Analyzer. The affected webserver 
applications allow access to stored data that can be obtained by 
using specially crafted URLs. 


A vulnerability has been found in multiple revisions of Emerson 
emerson -- rosemont_x- Rosemount X-STREAM Gas Analyzer. The affected product’s web 
stream_gas_analyzer interface allows an attacker to route click or keystroke to another 2021-05-20 
page provided by the attacker to gain unauthorized access to 
sensitive information. 


A vulnerability has been found in multiple revisions of Emerson 
Rosemount X-STREAM Gas Analyzer. The webserver of the 2021-05-20 not yet |CVE-2021-27459 
affected products allows unvalidated files to be uploaded, which calculated |MISC 

an attacker could utilize to execute arbitrary code. 


Emissary is a distributed, peer-to-peer, data-driven workflow 
framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization 
of post-authenticated requests to the 


not yet ||CVE-2020-13667 


2021-05-17 |! -sicuiated CONFIRM 








not yet |CVE-2021-27465 


2021-05-20 |! -aicuiated |IMISC 








not yet ||CVE-2021-27463 
calculated |MISC 








not yet ||CVE-2021-27457 
calculated ||MISC 








emerson -- rosemont_x- 


stream_gas_analyzer notyet |CVE-2021-27461 


2021-05-20 |! -aicuiated |IMISC 








not yet |CVE-2021-27467 
calculated ||MISC 








emerson -- rosemont_x- 
stream_gas_analyzer 








SinisSaivie BiniGsal [ WorkSpaceClientEnqueue.action ] CVE-2021-32634 
- iy (https://github.com/NationalSecurityAgency/emissary/blob/30c54ef] 626ab6es0960) bP ONS bsp ttaDREHARD/src/main ia 
REST endpoint. This issue may lead to post-auth Remote Code MISC 


Execution. This issue has been patched in version 6.5.0. As a 
workaround, one can disable network access to Emissary from 
untrusted sources. 


Cross Site Scripting (XSS) in emlog v6.0.0 allows remote 
attackers to execute arbitrary code by adding a crafted script as a || 2021-05-17 
link to a new blog post. 








emlog -- emlog not yet |CVE-2020-18194 


calculated ||MISC 








CVE-2021-29258 





























enVoW---OAVe An issue was discovered in Envoy 1.14.0. There is a remotely not vet MISC 
y y exploitable crash for HTTP2 Metadata, because an empty 2021-05-20 Ree teq (MISC 
METADATA map triggers a Reachable Assertion. MISC 

MISC 
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pass FS's relative URL check however many browsers will gladly 
convert this to http://github.com. Thus an attacker could send such 
a link to an unwitting user, using a legitimate site and have it 
redirect to whatever site they want. This is considered a low 
severity due to the fact that if Werkzeug is used (which is very 
common with Flask applications) as the WSGI layer, it by default 
ALWAYS ensures that the Location header is absolute - thus 
making this attack vector mute. It is possible for application writers 
ito modify this default behavior by setting the 





‘autocorrect_location_header=False’. 














Prima’ ar : CVSS Source & Patch 
Vendor -- Proeiick Bescmpron eubilehed Score Info 
envoy -- envoy An issue was discovered in Envoy through 1.71.1. There is a not yet 1 ni 
remotely exploitable NULL pointer dereference and crash in TLS 2021-05-20 Antes 
; : calculated |MISC 
when an unknown TLS alert code is received. MISC 
An issue was discovered in Envoy through 1.71.1. There is a CVE-2021-28682 
Seo Sey remotely exploitable integer overflow in which a very large grpc- 2021-05-20 Hot yet: BSE 
: ‘ : calculated |MISC 
timeout value leads to unexpected timeout calculations. MISC 
apie camesc: Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer CVE-2021-32238 
pic_g ket | Overflow. Stack-based buffer overflow occurs when Rocket 2021-05-18 not yet MISC 
Peyonix_roeKel_ league League handles UPK object files that can result in code execution oe calculated |MISC 
and denial of service scenario. MISC 
Exiv2 is a command-line utility and C++ library for reading, writing, 
deleting, and modifying the metadata of image files. An inefficient 
algorithm (quadratic complexity) was found in Exiv2 versions 
Vv0.27.3 and earlier. The inefficient algorithm is triggered when 
Exiv2 is used to write metadata into a crafted image file. An 
exiv2 -- exiv2 attacker could potentially exploit the vulnerability to cause a denial not yet CVE-2021-32617 
of service, if they can trick the victim into running Exiv2 ona 2021-05-17 calculated MISC 
crafted image file. The bug is fixed in version v0.27.4. Note that CONFIRM 
this bug is only triggered when _writing_ the metadata, which is a 
less frequently used Exiv2 operation than _reading_ the metadata. 
For example, to trigger the bug in the Exiv2 command-line 
application, you need to add an extra command-line argument 
such as ‘rm’. 
fastify-csrf is an open-source plugin helps developers protect their 
Fastify server against CSRF attacks. Versions of fastify-csrf prior CVE-2021-29624 
to 3.1.0 have a "double submit" mechanism using cookies with an MISC 
: F application deployed across multiple subdomains, e.g. "heroku"- MISC 
faeaiyseaiie tasty aol style platform as a service. Version 3.1.0 of the fastify-csrf fixes it] 2021-05-19 | NOLYSt | misc 
the vulnerability. The user of the module would need to supply a calculatec’ CONFIRM 
*userlnfo’ when generating the CSRF token to fully implement the MISC 
protection on their end. This is needed only for applications hosted MISC 
on different subdomains. 
A flaw was found in the RPM package in the read functionality. 
This flaw allows an attacker who can convince a victim to install a a 
fedroa_project -- fedora_project seemingly verifiable package or compromise an RPM repository, 2021-05-19 not yet FEDORA 
to cause RPM database corruption. The highest threat from this calculated FEDORA 
vulnerability is to data integrity. This flaw affects RPM versions FEDORA 
before 4.17.0-alpha. (=acmanieciana 
A heap based buffer overflow vulnerability exists in ffjpeg through 
ffipeg -- ffjpeg 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at 2021-05-18 not yet |CVE-2020-23852 
ffjpeg/src/jfif.c (line 544 & line 545), which could cause a denial of calculated |MISC 
service by submitting a malicious jpeg image. 
A stack-based buffer overflow vulnerability exists in ffjpeg through 
ffipeg -- ffjpeg 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at 2021-05-18 not yet |CVE-2020-23851 
ffjpeg/src/jfif.c:513:28, which could cause a denial of service by calculated |MISC 
submitting a malicious jpeg image. 
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition CVE-2021-32054 
firely -- spark headers in certain situations, which may cause crafted files to be 2021-05-14 not yet CONFIRM 
delivered to clients such that they are rendered directly in a calculated |CONFIRM 
victim's web browser. CONFIRM 
The Python "Flask-Security-Too" package is used for adding 
security features to your Flask application. It is an is an 
independently maintained version of Flask-Security based on the 
3.0.0 version of Flask-Security. All versions of Flask-Security-Too 
allow redirects after many successful views (e.g. /login) by 
honoring the ?next query param. There is code in FS to validate 
that the url specified in the next parameter is either relative OR 
has the same netloc (network location) as the requesting URL. 
This check utilizes Pythons urlsplit library. However many 
browsers are very lenient on the kind of URL they accept and 'fill CVE-2021-32618 
flask -- flask in the blanks' when presented with a possibly incomplete URL. As 2024-05-17 not yet << = 
a concrete example - setting http://login?next=\\github.com will calculated CONFIRM 
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Primary ae F Cvss Source & Patch 
Vendor -- Product Pescmptlon eubliehed Score Info 
This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.3.37598. User 
interaction is required to exploit this vulnerability in that the target 
foxit << ¥eader must visit a malicious page or open a malicious file. The specific not vet CVE-2021-31473 
flaw exists within the browseForDoc function. The issue results 2021-05-21 ea uiaied MISC 
from the lack of proper validation of user-supplied data, which can MISC 
result in a write past the end of an allocated data structure. An 
attacker can leverage this vulnerability to execute code in the 
context of the current process. Was ZDI-CAN-13523. 
Directory Traversal vulnerability in FusionPBX 4.5.7, which allows not vet CVE-2020-21057 
fusionpbx -- fusionpbx a remote malicious user to delete folders on the system via the 2021-05-20 Fes ae MISC 
folder variable to app/edit/folderdelete.php. MISC 
: : Directory Traversal vulnerability exists in FusionPBX 4.5.7, which CVE-2020-21056 
RNSIonp iy USI PER allows a remote malicious user to create folders via the folder 2021-05-20 meee MISC 
variale to app\edit\foldernew.php. MISC 
: F Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows CVE-2020-21054 
Rub Ione muS|ONPEX remote malicious users to inject arbitrary web script or HTML via 2021-05-20 te ear MISC 
an unsanitized "f" variable in app\vars\vars_textarea.php. eaiete? lies 
A Directory Traversal vulnerability exists in FusionPBX 4.5.7 CVE-2020-21055 
fusionpbx -- fusionpbx allows malicoius users to rename any file of the system.via the (1) 2021-05-20 not yet MISC... 
folder, (2) filename, and (3) newfilename variables in calculated MISC 
app\edit\filerename.php. a= 
Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX CVE-2020-21053 
fusionpbx -- fusionpbx 4.5.7 allows remote malicious users to inject arbitrary web script 2021-05-20 not yet MISC... 
or HTML via an unsanitized "query_string" variable in calculated MISC 
app\devices\device_imports.php. pessoas 
A UI misrepresentation vulnerability was identified in GitHub 
Enterprise Server that allowed more permissions to be granted 
during a GitHub App's user-authorization web flow than was 
displayed to the user during approval. To exploit this vulnerability, 
an attacker would need to create a GitHub App on the instance 
and have a user authorize the application through the web 
authentication flow. All permissions being granted would properly CVE-2021-22866 
github -- enterprise_server be shown during the first authorization, but in certain 2021-05-14 not yet CONFIRM 
circumstances, if the user revisits the authorization flow after the calculated CONFIRM 
GitHub App has configured additional user-level permissions, <= 
those additional permissions may not be shown, leading to more 
permissions being granted than the user potentially intended. This 
vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 
and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 
2.22.13. This vulnerability was reported via the GitHub Bug 
Bounty program. 
: : A heap based buffer overflow vulnerability exists in GNU CVE-2020-21831 
gnu_libredwg — gnu_libredwg LibreDWG 0.10 via read_2004_section_handles 2021-05-17 | nor vet misc 
|. Jstc/decode.c:2637. caloulat©?' MISC 
CVE-2020-21813 
gnu_libredwg -- gnu_libredwg A heap based buffer overflow issue exists in GNU LibreDWG 2021-05-17 not yet MISC 
0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114. calculated |MISC 
MISC 
: , GNU LibreDWG 0.10 is affected by: memcpy-param-overlap. The CVE-2020-21844 
Gnu brea wg:s eit peetws impact is: execute arbitrary code (remote). The component is: 2021-05-17 ly ae MISC 
read_2004_section_header ../../src/decode.c:2580. Catalee Mies 
gnu_libredwg -- gnu_libredwg A heap based buffer overflow vulnerability exists in GNU not yet CVE-2020-21827 
= = LibreDWG 0.10 via read_2004_compressed_section 2021-05-17 calculated MISC 
../../src/decode.c:2379. MISC 
Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post 
nalesonae publish components in the manage panel, which lets a remote 2021-05-20 oe oo 
malicious user execute arbitrary code. tees 
HedgeDoc is a platform to write and share markdown. HedgeDoc 
before version 1.8.2 is vulnerable to a cross-site scripting attack 
using the YAML-metadata of a note. An attacker with write access 
ito a note can embed HTML tags in the Open Graph metadata 
section of the note, resulting in the frontend rendering the script 
hedgedoc -- hedgedoc tag as part of the *<head>* section. Unless your instance prevents nat vet —— 
guests from editing notes, this vulnerability allows unauthenticated || 2021-05-19 eaieuaed CONFIRM 
attackers to inject JavaScript into notes that allow guest edits. If MISC. 
your instance prevents guests from editing notes, this vulnerability lamar 
allows authenticated attackers to inject JavaScript into any note 
pages they have write-access to. This vulnerability is patched in 
version 1.8.2. As a workaround, one can disable guest edits until 
the next update. 
hewlett_packard_enterprises -- A potential buffer overflow in the software drivers for certain HP 
laser_jet_products LaserJet products and Samsung product printers could lead to an |} 2021-05-20 as — 
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Primary are F Cvss Source & Patch 
Vendor -- Product Bescnpron eubilehed | Score Info 
‘ : Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx 
pits eninaninies itive and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to | 2021-05-17 || Torys a 
change the credentials of existing users. re 
‘The USB firmware update script of homee Brain Cube v2 (2.28.2 
hamaece brain cube and 2.28.4) devices allows an attacker with physical access to ndkvet CVE-2020-24395 
= install compromised firmware. This occurs because of insufficient || 2021-05-20 Gaiciea MISC 
validation of the firmware image file and can lead to code MISC 
execution on the device. 
homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive CVE-2020-24396 
homee -- brain_cube SSH keys within downloadable and unencrypted firmware images. 2021-05-20 not yet MISC... 
This allows remote attackers to use the support server as a calculated MISC 
SOCKS proxy. means 
Path Traversal in HongCMS v4.0.0 allows remote attackers to 
hongems — hongems view, edit, and delete arbitrary files via a crafted POST request to || 2021-05-18 sae 1 anaes 
the component "/hcms/admin/index.php/language/ajax." (aeaararss 
An arbitrary file deletion vulnerability was discovered on htmly 
htmly -- htmly v2.7.5 which allows remote attackers to use any absolute path to 2021-05-21 not yet |CVE-2020-23766 
delete any file in the server should they gain Administrator calculated |MISC 
privileges. 
' IBM Cloud Pak for Multicloud Management prior to 2.3 allows web CVE-2020-4765 
ibm -- cloud_pak not yet 
—P pages to be stored locally which can be read by another user on 2021-05-19 Pine ioee CONFIRM 
the system. IBM X-Force ID: 188902. XF 
IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting. 
This vulnerability allows users to embed arbitrary JavaScript code not vet CVE-2021-20528 
ibm -- control_center in the Web UI thus altering the intended functionality potentially 2021-05-19 rid XF 
leading to credentials disclosure within a trusted session. IBM X- CONFIRM 
Force ID: 198761. 
‘orn exeontreleenter IBM Control Center 6.2.0.0 could allow a user to obtain sensitive fiat Vat CVE-2021-20529 
= version information that could be used in further attacks against 2021-05-19 ere XF 
the system. IBM X-Force ID: 198763. CONFIRM 
ibe IBM InfoSphere Information Server 11.7 could allow a remote nat vet CVE-2021-29747 
jinfospherd: information “Sener attacker to obtain highly sensitive information due to a vulnerability)! 2021-05-17 iced CONFIRM 
P = = in the authentication mechanism. IBM X-Force ID: 201775. XF 
L IBM InfoSphere Information Server 11.7 could allow an attacker to 
eet information Sener obtain sensitive information by injecting parameters into an HTML 2021-05-21 not yet ee ne 
P = = query. This information could be used in further attacks against calculated CONFIRM 
the system. IBM X-Force ID: 199918. se 
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to 
‘oni =ainanine- asset manager stored cross-site scripting. This vulnerability allows users to not vet CVE-2021-20374 
= = 9 embed arbitrary JavaScript code in the Web UI thus altering the 2021-05-19 Pi a CONFIRM 
intended functionality potentially leading to credentials disclosure XF 
within a trusted session. IBM X-Force ID: 195522. 
IBM Planning Analytics Local 2.0 connects to a MongoDB server. 
jome2blannind analvicsclocal MongoDB, a document-oriented database system, is listening on not vet CVE-2020-4669 
p o_ yies_ the remote port, and it is configured to allow connections without 2021-05-17 eed CONFIRM 
password authentication. A remote attacker can gain unauthorized XF 
access to the database. IBM X-Force ID: 184600. 
IBM Planning Analytics Local 2.0 connects to a Redis server. The 
bni=Siblanning analviicsdiocal Redis server, an in-memory data structure store, running on the Fat vet CVE-2020-4670 
P a yies_ remote host is not protected by password authentication. A remote|| 2021-05-17 eoeiced CONFIRM 
attacker can exploit this to gain unauthorized access to the server. XF 
IBM X-Force ID: 186401. 
IBM Security Identity Manager 7.0.2 could allow a remote attacker 
ito obtain sensitive information when a detailed technical error ot Vet oo 
ibm -- security_identity_manager message is returned in the browser. This information could be 2021-05-20 deca CONFIRM 
used in further attacks against the system. IBM X-Force ID: CONFIRM 
200102. ————— 
IBM Security Identity Manager 7.0.2 could allow a remote attacker 
to obtain sensitive information, caused by the failure to properly not vet CVE-2021-29692 
ibm -- security_identity_manager enable HTTP Strict Transport Security. An attacker could exploit 2021-05-20 Seed XE 
this vulnerability to obtain sensitive information using man in the CONFIRM 
middle techniques. IBM X-Force ID: 200253. 
, shay : IBM Security Identity Manager 7.0.2 could allow an authenticated CVE-2021-29686 
Ibm — Security_Identity_ manager user to bypass security and perform actions that they should not 2021-05-20 ae XF 
have access to. IBM X-Force ID: 200015 CONFIRM 
IBM Security Identity Manager 7.0.2 contains hard-coded 
pe ee : credentials, such as a password or cryptographic key, which it CVE-2021-29691 
lbm— security_identity_manager uses for its own inbound authentication, outbound communication || 2021-05-20 ae XF 
ito external components, or encryption of internal data. IBM X- CONFIRM 
Force ID: 200252. 
‘bin <sequnividentiie manager IBM Security Identity Manager 7.0.2 could allow a remote user to hak vet CVE-2021-29687 
y_ y_ 9 enumerate usernames due to a difference of responses from valid || 2021-05-20 Ba ahah CONFIRM 
and invalid login attempts. IBM X-Force ID: 200018 XE 
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Vendor -- Product Bescnpron eubilehed | Score Info 
IBM Security Identity Manager 7.0.2 could allow a remote attacker 
ibm secuniivdentite manager ito obtain sensitive information when a detailed technical error not vet CVE-2021-29682 
y y 9 message is returned in the browser. This information could be 2021-05-20 Seal CONFIRM 
used in further attacks against the system. IBM X-Force ID: XE 
199997 
; see F IBM Security Identity Manager 7.0.2 stores user credentials in CVE-2021-29683 
ibm -- security_identity_manager | ain clear text which can be read by an authenticated user. IBM || 2021-05-20 clot eg [CONEIRM 
X-Force ID: 199998. XF 
IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud CVE-2020-4850 
ibm -- spetrum_scale Tiering could allow a remote attacker to obtain sensitive 2021-05-20 not yet XE ttC~S 
information, caused by the leftover files after configuration. IBM X- calculated CONFIRM 
Force ID: 190298. (aati 
; IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 
alle 5.2.6.5, 6.0.0.0 through 6.0.3.3, and 6.1.0.0 through 6.1.0.2 could not yet [GYE=2020-4646 
sterling _b2b_integrator_standard+edi ion . . : 2021-05-19 XF 
allow an authenticated user to view pages they shoiuld not have calculated CONFIRM 
access to due to improper authorization control. eeaaemriene: 
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross 
intelbras -- router_rf_301k_firmware ||Site Request Forgery (CSRF) due to lack of security mechanisms |} 2021-05-17 ae Vn 
for token protection and unsafe inputs and modules. eee 
L : Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross 
intelbras -- router_rf_301k_firmware c+. Request Forgery (CSRF) due to lack of validation and 20210647 || TONE a 
insecure configurations in inputs and modules. (amass 
es ee InvoicePlane 1.5.11 doesn't have any rate-limiting for password 
mvolcapia ne. Iavoleeianie reset and the reset token is generated using a weak mechanism 2021-05-17 ld or —o 
that is predictable. ———— 
In InvoicePlane 1.5.11 a misconfigured web server allows 
invoiceplane -- invoiceplane unauthenticated directory listing and file download. Allowing an 2021-05-17 not yet CVE-2021-29024 
attacker to directory traversal and download files suppose to be calculated ||MISC 
private without authentication. 
The package koa-remove-trailing-slashes before 2.0.2 are 
a vulnerable to Open Redirect via the use of trailing double slashes 
Sau atten capers ~ koa In the URL when accessing the vulnerable endpoint (such as 2021-05-17 not yet v1 acl 
9 https://example.com//attacker.example/). The vulnerable code is in calculated MISC 
index.js::removeTrailingSlashes(), as the web server uses relative ears 
URLs instead of absolute URLs. 
SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 CVE-2021-20720 
konawiki2 -- konawiki2 allows remote attackers to execute arbitrary SQL commands and 2021-05-20 not yet MISC... 
to obtain/alter the information stored in the database via calculated MISC 
unspecified vectors. i 
konawiki2 -- konawiki2 KonaWiki2 versions prior to 2.2.4 allows a remote attacker to ok vet CVE-2021-20721 
upload arbitrary files via unspecified vectors. If the file contains 2021-05-20 eeiigiad MISC 
PHP scripts, arbitrary code may be executed. MISC 
A flaw was found in libdnf's signature verification functionality in 
versions before 0.60.1. This flaw allows an attacker to achieve CVE-2021-3445 
ibdnf -- libdn code execution if they can alter the header information of an not ye 
libdnf -- libdnf d tion if they Iter the header inf ti f an RPM 2021-05-19 tyet |IEEDORA 
package and then trick a user or system into installing it. The calculated |MISC 
highest risk of this vulnerability is to confidentiality, integrity, as FEDORA 
well as system availability. 
A heap-based buffer overflow vulnerability exists in LibreD WG 
libredwg -- libredwg 0.10.1 via the read_system_page function at libredwg- 2021-05-18 not yet |CVE-2020-23861 
0.10.1/src/decode_r2007.c:666:5, which causes a denial of calculated |MISC 
service by submitting a dwg file. 
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * CVE-2021-3200 
libsolv -- libsolv testcase_read(Pool “pool, FILE *fp, const char “testcase, Queue notyet |e 
Mee ee nae ; ae 2021-05-18 MISC 
job, char **resultp, int *resultflagsp function at src/testcase.c: line calculated MISC 
2334, which could cause a denial of service ars 
A flaw was found in libwebp in versions before 1.0.1. An out-of- 
libwebp -- applyfilter bounds read was found in function ApplyFilter. The highest threat 2021-05-21 not yet |CVE-2018-25010 
from this vulnerability is to data confidentiality and to the service calculated ||MISC 
availability. 
A flaw was found in libwebp in versions before 1.0.1. A use-after- 
: i free was found due to a thread being killed too early. The highest ce not yet ||CVE-2020-36329 
HEWEBP =libWenp threat from this vulnerability is to data confidentiality and integrity Soe ne es calculated |MISC 
as well as system availability. 
A flaw was found in libwebp in versions before 1.0.1. A heap- 
: , based buffer overflow in function WebPDecodeRGBInto is 
libwebp — libwebp possible due to an invalid check for buffer size. The highest threat || 2021-05-21 || "ot yet | i ee 
from this vulnerability is to data confidentiality and integrity as well tama 
as system availability. 
A flaw was found in libwebp in versions before 1.0.1. An out-of- 
libwebp -- libwebp bounds read was found in function ChunkAssignData. The highest 2021-05-21 not yet |CVE-2020-36331 
threat from this vulnerability is to data confidentiality and to the calculated |MISC 
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A flaw was found in libwebp in versions before 1.0.1. An out-of- 
libwebp -- libwebp bounds read was found in function ChunkVerifyAndAssign. The 2021-05-21 not yet |CVE-2020-36330 
highest threat from this vulnerability is to data confidentiality and calculated ||MISC 
to the service availability. 
A flaw was found in libwebp in versions before 1.0.1. When 
libwebp -- libwebp reading a file libwebp allocates an excessive amount of memory. 2021-05-21 not yet |CVE-2020-36332 
The highest threat from this vulnerability is to the service calculated |MISC 
availability. 
A flaw was found in libwebp in versions before 1.0.1. A heap- 
libwebp -- putle16 based buffer overflow was found in PutLE16(). The highest threat 2021-05-21 not yet |CVE-2018-25011 
from this vulnerability is to data confidentiality and integrity as well calculated |MISC 
as system availability. 
A flaw was found in libwebp in versions before 1.0.1. An out-of- 
libwebp -- webpmuxcreateinternal _|bounds read was found in function WebPMuxCreatelnternal. The 2021-05-21 not yet ||CVE-2018-25009 
highest threat from this vulnerability is to data confidentiality and calculated |MISC 
to the service availability. 
A flaw was found in libwebp in versions before 1.0.1. An out-of- 
libwebp -- webpmuxcreateinternal _|bounds read was found in function WebPMuxCreatelnternal. The 2021-05-21 not yet CVE-2018-25012 
highest threat from this vulnerability is to data confidentiality and calculated |MISC 
to the service availability. 
A flaw was found in libwebp in versions before 1.0.1. An 
libwebp -- readsymbol unitialized variable is used in function ReadSymbol. The highest 2021-05-21 not yet |CVE-2018-25014 
threat from this vulnerability is to data confidentiality and integrity calculated |MISC 
as well as system availability. 
A flaw was found in libwebp in versions before 1.0.1. An out-of- 
libwebp -- shiftbytes bounds read was found in function ShiftBytes. The highest threat 2021-05-21 not yet CVE-2018-25013 
from this vulnerability is to data confidentiality and to the service calculated ||MISC 
availability. 
f There s a flaw in libxml2 in versions before 2.9.11. An attacker CVE-2021-3518 
ibxml2 -- libxml2 who is able to submit a crafted file to be processed by an aon 
age ae rage 5 not yet |FEDORA 
application linked with libxml2 could trigger a use-after-free. The 2021-05-18 calculated |MLIST 
greatest impact from this flaw is to confidentiality, integrity, and MISC 
availability. bisceaae 
There is a flaw in the xml entity encoding functionality of libxml2 in 
versions before 2.9.11. An attacker who is able to supply a crafted 
file to be processed by an application linked with the affected CVE-2021-3517 
libxml2 -- libxml2 functionality of libxml2 could trigger an out-of-bounds read. The 2021-05-19 not yet |MISC 
most likely impact of this flaw is to application availability, with calculated ||EEDORA 
some potential impact to confidentiality and integrity if an attacker MLIST 
is able to use memory information to further exploit the 
application. 
In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check 
libyang -- libyang whether the value of retval->ext[r] is NULL. In some cases, it can 2021-05-20 not yet |CVE-2021-28906 
be NULL, which leads to the operation of retval->ext[r]->flags that calculated |CONFIRM 
results in a crash. 
In function read_yin_container() in libyang <= v1.0.225, it doesn't 
libyang -- libyang check whether the value of retval->ext[r] is NULL. In some cases, 2021-05-20 not yet |CVE-2021-28902 
it can be NULL, which leads to the operation of retval->ext([r]- calculated |CONFIRM 
>flags that results in a crash. 
A stack overflow in libyang <= v1.0.225 can cause a denial of 
libyang -- libyang service through function lyxml_parse_mem(). lyxml_parse_elem() 2021-05-20 not yet |CVE-2021-28903 
function will be called recursively, which will consume stack space calculated |CONFIRM 
and lead to crash. 
In function ext_get_plugin() in libyang <= v1.0.225, it doesn't 
libyang -- libyang check whether the value of revision is NULL. If revision is NULL, 2021-05-20 not yet ||CVE-2021-28904 
the operation of stremp(revision, ext_plugins[u].revision) will lead calculated |CONFIRM 
ito a crash. 
In function lys_node_free() in libyang <= v1.0.225, it asserts that 
libyang -- libyang the value of node->module can't be NULL. But in some cases, 2021-05-20 not yet CVE-2021-28905 
node->module can be null, which triggers a reachable assertion calculated |CONFIRM 
(CWE-617). 
Cross-site scripting (XSS) vulnerability in the Redirect module's 
redirection administration page in Liferay Portal 7.3.2 through 
liferay -- portal 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote 2024-05-17 not yet a 
attackers to inject arbitrary web script or HTML via the calculated MISC 
|_com_liferay_redirect_web_internal_portlet_RedirectPortlet_destinationURL (ramps 
parameter. 
The JSON web services in Liferay Portal 7.3.4 and earlier, and 
Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 
li before fix pack 10 may provide overly verbose error messages, not yet a 
iferay -- portal P 2021-05-16 MISC 
which allows remote attackers to use the contents of error calculated MISC 
messages to help launch another, more focused attacks via Pe 
crafted inputs. 
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Prima’ ar : CVSS Source & Patch 
Vendor -- Prsiick Pescmpron Published Score Info 
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 
and Liferay DXP 7.3 before fix pack 1 does not invalidate not vet CVE-2021-29047 
liferay -- portal CAPTCHA answers after it is used, which allows remote attackers || 2021-05-16 enced MISC 
to repeatedly perform actions protected by a CAPTCHA challenge MISC 
by reusing the same CAPTCHA answer. 
Cross-site scripting (XSS) vulnerability in the Site module's 
membership request administration pages in Liferay Portal 7.0.0 
through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before nat vat CVE-2021-29044 
liferay -- portal fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows || 2021-05-17 eaicued MISC 
remote attackers to inject arbitrary web script or HTML via the MISC 
| com_liferay_site_my_sites_web_portlet_MySitesPortlet_comments 
parameter. 
Denial-of-service (DoS) vulnerability in the Multi-Factor 
Authentication module in Liferay DXP 7.3 before fix pack 1 allows CVE-2021-29041 
liferay -- portal remote authenticated attackers to prevent any user from 2021-05-16 not yet el 
authenticating by (1) enabling Time-based One-time password calculated MISC 
(TOTP) on behalf of the other user or (2) modifying the other ere 
user's TOTP shared secret. 
Cross-site scripting (XSS) vulnerability in the Layout module's 
page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay CVE-2021-29048 
liferay -- portal DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows 2024-05-17 not yet MISC... 
remote attackers to inject arbitrary web script or HTML via the calculated MISC 
|_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_name = 
parameter. 
‘The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and 
liferay -- portal Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 not yet CVE-2021-29043 
before fix pack 10 and 7.3 before fix pack 1 does not obfuscate 2021-05-17 calculated MISC 
the S3 store's proxy password, which allows attackers to steal the MISC 
proxy password via man-in-the-middle attacks or shoulder surfing. 
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and 
li Liferay DXP 7.3 before fix pack 1 allow remote authenticated CVE-2021-29053 
iferay -- portal f f : not yet 
users to execute arbitrary SQL commands via the classPKField 2021-05-17 éalculated MISC 
parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) MISC 
CommerceChannelRelFinder.findByC_C. 
Cross-site scripting (XSS) vulnerability in the Asset module's 
liferay -- portal categories administration page in Liferay Portal 7.3.4 allows 2021-05-16 not yet wae 
remote attackers to inject arbitrary web script or HTML via the site calculated MISC 
name. ——— 
Cross-site scripting (XSS) vulnerability in the Asset module's 
Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and 
liferay -- portal Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 not yet CVE-2021-29051 
before fix pack 1 allows remote attackers to inject arbitrary web 2021-05-17 éalculated MISC 
script or HTML via the MISC 
|_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_XXKXXXXXXXKX_assetEntryld 
parameter. 
The Data Engine module in Liferay Portal 7.3.0 through 7.3.5, and 
liferay -- portal Liferay DXP 7.3 before fix pack 1 does not check permissions in not yet CVE-2021-29052 
DataDefinitionResourcelmpl.getSiteDataDefinitionByContentTypeBy aia Déhaition 2Ytculated MISC 
which allows remote authenticated users to view DDMStructures MISC 
via GET API calls. 
Cross-site scripting (XSS) vulnerability in the Asset module's 
category selector input field in Liferay Portal 7.3.5 and Liferay 
liferay -- portal DXP 7.3 before fix pack 1, allows remote attackers to inject 2021-05-17 not yet a 
arbitrary web script or HTML via the calculated MISC 
|_com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortlet| title ares 
parameter. 
This vulnerability allows local attackers to escalate privileges on 
affected installations of Linux Kernel 5.11.15. An attacker must 
first obtain the ability to execute low-privileged code on the target 
inte linu<okeriel system in order to exploit this vulnerability. The specific flaw exists not yet CVE-2021-31440 
= within the handling of eBPF programs. The issue results from the |} 2021-05-21 calculated MISC 
lack of proper validation of user-supplied eBPF programs prior to MISC 
executing them. An attacker can leverage this vulnerability to 
escalate privileges and execute arbitrary code in the context of the 
kernel. Was ZDI-CAN-13661. 
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Primary ae F Cvss Source & Patch 
Vendor -- Product Pescmpren eubliehed Score Info 
CVE-2002-2438 
MLIST 
CERT-VN 
MLIST 
MISC 
MLIST 
: : : MLIST 
inte linc kernel TCP firewalls could be circumvented by sending a SYN Packets not yet |MLIST 
= with other flags (like e.g. RST flag) set, which was not correctly 2021-05-18 Sate 
é : : : calculated |MISC 
discarded by the Linux TCP stack after firewalling. MLIST 
MLIST 
MLIST 
MISC 
MLIST 
MLIST 
MLIST 
A flaw was found in the Nosy driver in the Linux kernel. This issue 
allows a device to be inserted twice into a doubly-linked list, CVE-2021-3483 
linux -- linux_kernel leading to a use-after-free when one of these devices is removed. 2024-05-17 not yet MLIST 
The highest threat from this vulnerability is to confidentiality, calculated MISC 
integrity, as well as system availability. Versions before kernel 
5.12-rc6 are affected 
CVE-2021-33033 
The Linux kernel before 5.11.14 has a use-after-free in ia 
linux_kernel -- linux_kernel cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and 2021-05-14 not yet MISC 
CALIPSO refcounting for the DOI definitions is mishandled, aka calculated MISC 
ClD-ad5d07f4a9cd. This leads to writing an arbitrary value. MISC 
MISC 
CVE-2021-33034 
: F MISC 
; ; In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a 
nde ernie Ine henn| use-after-free when destroying an hci_chan, aka CID- 2021-05-14 Pe tae = 
5c4c8c954409. This leads to writing an arbitrary value. MISC 
FEDORA 
‘There is a denial of service vulnerability in some versions of 
ManageOne. There is a logic error in the implementation of a 
manageone -- manageone function of a module. When the service pressure is heavy, there is || 2021-05-20 a a 
a low probability that an exception may occur. Successful exploit i 
may cause some services abnormal. 
‘There is a denial of service vulnerability in some versions of 
ManageOne. In specific scenarios, due to the insufficient 
pene cote Mnanascoue verification of the parameter, an attacker may craft some specific 2021-05-20 cn i aa 
parameter. Successful exploit may cause some services fears 
abnormal. 
Matrix-React-SDK is a react-based SDK for inserting a Matrix 
chat/voip client into a web page. Before version 3.21.0, when 
uploading a file, the local file preview can lead to execution of CVE-2021-32622 
matrix-react-sdk -- matrix-react-sdk ||scripts embedded in the uploaded file. This can only occur after 2021-05-17 not yet MISC. 
several user interactions to open the preview in a separate tab. calculated CONFIRM 
‘This only impacts the local user while in the process of uploading. iano: 
It cannot be exploited remotely or by other users. This vulnerability 
is patched in version 3.21.0. 
CVE-2020-27209 
anicro-ece. =: libra The ECDSA operation of the micro-ecc library 1.0 is vulnerable to not ver MISC 
'y simple power analysis attacks which allows an adversary to 2021-05-20 eae MISC 
extract the private ECC key. MISC 
MISC 
Mikrotik RouterOs before 6.47 (stable tree) in the 
mikrotik -- routeros /ram/pckg/advanced-tools/nova/bin/netwatch process. An 2021-05-19 not yet a 
authenticated remote attacker can cause a Denial of Service due ae calculated MISC 
ito a divide by zero error. —--= 
Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory CVE-2020-20254 
mikrotik -- routeros corruption vulnerability in the /nova/bin/Icdstat process. An 2021-05-18 not yet MISC..OC~™S 
authenticated remote attacker can cause a Denial of Service calculated FULLDISC 
(NULL pointer dereference). (eaeaacie aia 
—— Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory CVE-2020-20266 
mikrotik -- routeros corruption vulnerability in the /nova/bin/dot1x process. An 2021-05-19 not yet MSC..OCOC~™S 
authenticated remote attacker can cause a Denial of Service calculated MISC 
(NULL pointer dereference). (cas 
Mikrotik RouterOs before 6.47 (stable tree) suffers from a divison 
mikrotik -- routeros by zero vulnerability in the /nova/bin/Icdstat process. An 2021-05-18 not yet en 
authenticated remote attacker can cause a Denial of Service due calculated |-- 
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5/24/2021 Vulnerability Summary for the Week of May 17, 2021 
Primary ae F Cvss Source & Patch 
Vendor -- Product Bescmpren eubilehed Score Info 
Buffer access with incorrect length value vulnerability in GOT2000 
series GT27 model communication driver versions 01.19.000 
through 01.38.000, GT25 model communication driver versions 
01.19.000 through 01.38.000, GT23 model communication driver 
2 B iid8 é versions 01.19.000 through 01.38.000 and GT21 model 
Lanai communication driver versions 01.21.000 through 01.39.000, GOT|) 5554-95-19 not yet ae 
ple_p SIMPLE series GS21 model communication driver versions calculated MISC 
01.21.000 through 01.39.000, GT SoftGOT2000 versions 1.170C ———— 
through 1.250L and Tension Controller LE7-40GU-L Screen 
package data for MODBUS/TCP V1.00 allows a remote 
unauthenticated attacker to stop the communication function of 
the products via specially crafted packets. 
A vulnerability was found in Moodle where javaScript injection was 
possible in some Mustache templates via recursive rendering from 
wioodle:=mnushiache contexts. Mustache helper tags that were included in template not vet CVE-2019-14827 
contexts were not being escaped before that context was injected || 2021-05-17 red MISC 
into another Mustache helper, which could result in script injection MISC 
in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 
3.5 to 3.5.7 and earlier unsupported versions. 
mozilla -- firefox A flaw in Mozilla's embedded certificate code might allow web 2021-05-17 not yet |CVE-2007-5967 
sites to install root certificates on devices without user approval. calculated ||MISC 
CVE-2021-30145 
AABN aNIDV A format string vulnerability in mpv through 0.33.0 allows user- Aatvat MISC 
P P assisted remote attackers to achieve code execution via a crafted || 2021-05-18 erica MISC 
m3u playlist file. MISC 
MISC 
Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker via the vulnerable 
/sqfs/lib/libsal.so.0.0 library used by a CGI application, as 
demonstrated by setup.cgi?token=";$HTTP_USER_AGENT;' with 
an OS command in the User-Agent field. This affects GC108P 
Hietnsarccimiuliisle: devises before 1.0.7.3, GC108PP before 1.0.7.3, GS108Tv3 before natvet CVE-2021-33514 
9 pie 7.0.6.3, GS110TPPv1 before 7.0.6.3, GS110TPv3 before 7.0.6.3, || 2021-05-21 eras MISC 
GS110TUPv1 before 1.0.4.3, GS710TUPv1 before 1.0.4.3, MISC 
GS716TP before 1.0.2.3, GS716TPP before 1.0.2.3, 
GS724TPPv1 before 2.0.4.3, GS724TPv2 before 2.0.4.3, 
GS728TPPv2 before 6.0.6.3, GS728TPv2 before 6.0.6.3, 
GS752TPPv1 before 6.0.6.3, GS752TPv2 before 6.0.6.3, 
MS510TXM before 1.0.2.3, and MS510TXUP before 1.0.2.3. 
The flash read-out protection (RDP) level is not enforced during ya 
P . the device initialization phase of the SoloKeys Solo 4.0.0 & Somu 
piMOley > NESE and the Nitrokey FIDO2 token. This allows an adversary to 2021-06-21 || Tver tae 
downgrade the RDP level and access secrets such as private MISC 
ECC keys from SRAM via the debug interface. MISC 
An issue was discovered in Nitrokey FIDO U2F firmware through 
1.1. Communication between the microcontroller and the secure CVE-2020-12061 
nitrokey -- fido_u2f element transmits credentials in plain. This allows an adversary to 2021-05-21 not yet MISC 
eavesdrop the communication and derive the secrets stored in the calculated |MISC 
microcontroller. As a result, the attacker is able to arbitrarily MISC 
manipulate the firmware of the microcontroller. 
oe Nordic Semiconductor nRF52840 devices through 2020-10-19 ee 
: : have improper protection against physical side channels. The OB. notyet [haan 
Pemiponcuctel_latsZet0 Hevices flash read-out protection (APPROTECT) can be bypassed by pene) calculated rae 
injecting a fault during the boot phase. MISC 
Products with Unified Automation .NET based OPC UA 
? ; Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 
ope_foundation -- ope_foundation 4.0, and 3.5 Framework versions only) are vulnerable to an 2021-05-20 Plata een 
uncontrolled recursion, which may allow an attacker to trigger a ke 
stack overflow. 
2 : OPC Foundation UA .NET Standard versions prior to 1.4.365.48 
ape foundation =epe foundation | ad OPC WA.NET Legacy are vulnerable to an uncontrolled 2021-05-20 Pty a 
recursion, which may allow an attacker to trigger a stack overflow. ere 
It was found that various OpenID Providers (OPs) had TLS Server 
Certificates that used weak keys, as a result of the Debian 
npenidceproviders Predictable Random Number Generator (CVE-2008-0166). In nok vet CVE-2008-3280 
P p combination with the DNS Cache Poisoning issue (CVE-2008- 2021-05-21 derucied MISC 
1447) and the fact that almost all SSL/TLS implementations do not MISC 
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Primary ae F Cvss Source & Patch 
Vendor -- Product Peschpron eubliehed Score Info 
CVE-2020-25709 
A flaw was found in OpenLDAP. This flaw allows an attacker who MLIST 
openlidap -- openidap can send a malicious packet to be processed by OpenLDAP’s 2021-05-18 not yet |DEBIAN 
slapd server, to trigger an assertion failure. The highest threat calculated |MISC 
from this vulnerability is to system availability. FULLDISC 
CONFIRM 
In OpenNMS Horizon, versions opennms-1-0-stable through 
opennms-27.1.0-1; OpenNMS Meridian, versions meridian- 
foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; 
meridian-foundation-2020.1.0-1 through meridian-foundation- CVE-2021-25933 
2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the ak vet MISC 
opennms -- horizon function ‘validateFormInput() performs improper validation 2021-05-20 raced MISC 
checks on the input sent to the ‘groupName’ and MISC 
*groupComment’ parameters. Due to this flaw, an authenticated MISC 
attacker could inject arbitrary script and trick other admin users 
into downloading malicious files which can cause severe damage 
ito the organization using opennms. 
In OpenNMS Horizon, versions opennms-1-0-stable through 
opennms-27.1.0-1; OpenNMS Meridian, versions meridian- 
foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; 
opennms -- horizon meridian-foundation-2020.1.0-1 through meridian-foundation- not yet eis 
2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, 2021-05-20 calculated MISC 
and since there is no validation of an existing user name while MISC 
renaming a user. As a result, privileges of the renamed user are feeremeees 
being overwritten by the old user and the old user is being deleted 
from the user list. 
In OpenNMS Horizon, versions opennms-1-0-stable through 
opennms-27.1.0-1; OpenNMS Meridian, versions meridian- 
foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; 
meridian-foundation-2020.1.0-1 through meridian-foundation- CVE-2021-25931 
opennms -- horizon 2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at 2021-05-20 not yet MISC 
*/opennms/admin/userGroupView/users/updateUser . This flaw calculated |MISC 
allows assigning -ROLE_ADMIN’ security role to a normal user. MISC 
Using this flaw, an attacker can trick the admin user to assign 
administrator privileges to a normal user by enticing him to click 
upon an attacker-controlled website. 
In OpenNMS Horizon, versions opennms-1-0-stable through 
opennms-27.1.0-1; OpenNMS Meridian, versions meridian- 
foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; 
spannns< horizon meridian-foundation-2020.1.0-1 through meridian-foundation- netvet a 
P 2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since 2021-05-20 y Peres 
there is no validation on the input being sent to the “name” calculated |MIS@ 
ee ee : MISC 
parameter in ‘noticeWizard* endpoint. Due to this flaw an eres 
authenticated attacker could inject arbitrary script and trick other 
admin users into downloading malicious files. 
ownCloud 10.7 has an incorrect access control vulnerability, 
leading to remote information disclosure. Due to a bug in the CVE-2021-29659 
owncloud -- owncloud related API endpoint, the attacker can enumerate all users in a 2021-05-20 not yet MISC... 
single request by entering three whitespaces. Secondary, the calculated MISC 
retrieval of all users on a large instance could cause higher than baaeceaens 
average load on the instance. 
Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are CVE-2021-32632 
pajbot -- pajbot vulnerable to cross-site request forgery (CSRF). Hosters of the bot 2021-05-20 not yet MISC 
should upgrade to ‘v1.52° or ‘stable’ to install the patch or, as a calculated |MISC 
workaround, can add one modern dependency. CONFIRM 
An information disclosure vulnerability was discovered in 
alipay_function.php in the log file of Alibaba payment interface on 
phppyun— phppyun PHPPYUN prior to version 5.0.1. If exploited, this vulnerability will || 2021-05-21 || Notyet CVE-2020-23768 
F ; : ape : : calculated ||MISC 
allow attackers to obtain users' personally identifiable information 
including e-mail address and telephone numbers. 
plone -- plone Plone through 5.2.4 allows XSS via a full name that is mishandled 2021-05-21 not yet oo 
during rendering of the ownership tab of a content item. tee calculated | - 
g g id MLIST 
plone -- plone Plone through 5.2.4 allows stored XSS attacks (by a Contributor) 2021-05-24 not yet a 
by uploading an SVG or HTML document. Te calculated | >= 
er peaene MLIST 
plone -- plone Plone though 5.2.4 allows SSRF via the Ixml parser. This affects not yet CVE-2021-33511 
Diazo themes, Dexterity TTW schemas, and modeleditors in 2021-05-21 calculated MISC 
plone.app.theming, plone.app.dexterity, and plone.supermodel. MLIST 
plone -- plone Plone through 5.2.4 allows remote authenticated managers to not yet CVE-2021-33510 
conduct SSRF attacks via an event ical URL, to read one line of a || 2021-05-21 MISC 
file. calculated MLIST 
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Primary ae F Cvss Source & Patch 
Vendor -- Product Bescmprion eubllehed | Score Info 
isne-ploné Plone through 5.2.4 allows remote authenticated managers to nakvet CVE-2021-33509 
P P perform disk I/O via crafted keyword arguments to the 2021-05-21 yer | MISC 
calculated 
ReStructuredText transform in a Python script. MLIST 
plone -- plone Plone through 5.2.4 allows XSS via the inline_diff methods in 2021-05-24 not yet oo 
Products.CMFDiffTool. calculated || 
MLIST 
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting 
(XSS) vulnerability in the user fullname property and the file CVE-2021-3313 
lone ainé<<saloneceis upload functionality. The user's input data is not properly encoded not vet MISC 
P = P = when being echoed back to the user. This data can be interpreted || 2021-05-20 Seiad MISC 
as executable code by the browser and allows an attacker to MISC 
execute JavaScript in the context of the victim's browser if the MLIST 
victim opens a vulnerable page containing an XSS payload. 
In Pluck-4.7.10-dev2 admin background, a remote command not yet |CVE-2020-20951 
pidek -spiuek execution vulnerability exists when uploading files. 2021-05-18 | calculated ||MISC 
pluck -- pluck Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows : 
remote attackers to execute arbitrary code and delete specific 2021-05-17 a - d ————- 
images via the component " /admin.php?action=images." —— 
pluck -- pluck An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF 2021-05-18 not yet CVE-2020-24740 
vulnerability that can editpage via a /admin.php?action=editpage calculated |MISC 
sf Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows 7 
pile —ipluek remote attackers to execute arbitrary code and delete a specific 2021-05-17 ae — 
article via the component " /admin.php?action=page."” (ecmameaseaas 
In the pg_partman (aka PG Partition Manager) extension before CVE-2021-33204 
postgresq| -- postgresql 4.5.1 for PostgreSQL, arbitrary code execution can be achieved 2024-05-19 not yet MISC. 
Via SECURITY DEFINER functions because an explicit calculated MISC 
search_path is not set. eee 
In Progress MOVEit Transfer before 2021.0 (13.0), a SQL 
injection vulnerability has been found in the MOVEit Transfer web 
app that could allow an authenticated attacker to gain 
unauthorized access to MOVEit Transfer's database. Depending CVE-2021-31827 
progress -- moveit_transfer on the database engine being used (MySQL, Microsoft SQL 2021-05-18 not yet MISC 
Server, or Azure SQL), an attacker may be able to infer calculated |MISC 
information about the structure and contents of the database in MISC 
addition to executing SQL statements that alter or destroy 
database elements. This is in MOVEit.DMZ.WebApp in 
SlLHuman.vb. 
project_worlds -- XSS in signup form in Project Worlds Online Examination System not vet CVE-2020-29205 
online_examination_system 1.0 allows remote attacker to inject arbitrary code via the name 2021-05-17 eal ae MISC 
field . MISC 
Prometheus is an open-source monitoring system and time series 
database. In 2.23.0, Prometheus changed its default UI to the 
New ui. To ensure a seamless transition, the URL's prefixed by 
/new redirect to /. Due to a bug in the code, it is possible for an 
attacker to craft an URL that can redirect to any other URL, in the a 
prometheus -- prometheus : a : , not yet |CONFIRM 
/new endpoint. If a user visits a prometheus server with a specially|| 2021-05-19 calculated |MISC 
crafted address, they can be redirected to an arbitrary URL. The MISC 
issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, ——— 
the /new endpoint will be removed completely. The workaround is 
to disable access to /new via a reverse proxy in front of 
Prometheus. 
PuTTY before 0.75 on Windows allows remote servers to cause a 
denial of service (Windows GUI hang) by telling the PUTTY CVE-2021-33500 
putty -- putty window to change its title repeatedly at high speed, which results 2021-05-21 not yet |MISC 
in many SetWindowTextA or SetWindowTextW calls. NOTE: the calculated |MISC 
same attack methodology may affect some OS-level GUIs on MISC 
Linux or other platforms for similar reasons. 
CVE-2021-3426 
There's a flaw in Python 3's pydoc. A local or adjacent attacker aaeeent 
who discovers or is able to convince another local or adjacent Saarare 
; FEDORA 
user to start a pydoc server could access the server and use it to 
: ie ae : : MLIST 
python -- python disclose sensitive information belonging to the other user that they not yet 
: ‘ : 2021-05-20 FEDORA 
would not normally be able to access. The highest risk of this flaw calculated FEDORA 
is to data confidentiality. This flaw affects Python versions before MISC 
3.8.9, Python versions before 3.9.3 and Python versions before =e 
FEDORA 
3.10.0a7. GENTOO 
FEDORA 
A code injection vulnerability has been discovered in the Upgrade CVE-2021-27811 
qibosoftx1 -- qibosoftx1 function of QibosoftX1 v1.0. An attacker is able execute arbitrary 2021-05-21 not yet as 
PHP code via exploitation of client_upgrade_edition.php and calculated | a5 


MISC 
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Prima ar : CVSS Source & Patch 
Vendor -- Prsiick Bescmpton eubiiehed Score Info 
A relative path traversal vulnerability has been reported to affect 
QNAP NAS running QTS and QuTS hero. If exploited, this 
vulnerability allows attackers to modify files that impact system 
qnap -- nas integrity. QNAP have already fixed this vulnerability in the 2021-05-21 not yet |CVE-2021-28798 
following versions: QTS 4.5.2.1630 Build 20210406 and later QTS calculated |CONFIRM 
4.3.6.1663 Build 20210504 and later QTS 4.3.3.1624 Build 
20210416 and later QuTS hero h4.5.2.1638 Build 20210414 and 
later QNAP NAS running QTS 4.5.3 are not affected. 
F ; RabbitMQ installers on Windows prior to version 3.8.16 do not 
pabbiing sabbiing harden plugin directory peHrindiore, potentially allowing attackers || 2021-05-18 | NGL yel. | eeweeeee oes Ee 
: is : ee : : calculated |MISC 
with sufficient local filesystem permissions to add arbitrary plugins. 
‘TinyShop, a free and open source mall based on RageFrame2, 
has a stored XSS vulnerability that affects version 1.2.0. TinyShop CVE-2020-24026 
rageframez2 -- rageframe2 allows XSS via the explain_first and again_explain parameters of 2021-05-18 not yet MISC 
the /evaluate/index.php page. The vulnerability may be exploited calculated ||MISC 
remotely, resulting in cross-site scripting (XSS) or information MISC 
disclosure. 
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph 
Object Gateway) in versions before 14.2.21. The vulnerability is 
related to the injection of HTTP headers via a CORS Sl cae 
red_hat -- red_hat ExposeHeader tag. The newline character in the ExposeHeader 2024-05-17 not yet FEDORA 
tag in the CORS configuration file generates a header injection in calculated FEDORA 
the response when the CORS request is made. In addition, the FEDORA 
prior bug fix for CVE-2020-10753 did not account for the use of \r ———— 
as a header separator, thus a new flaw has been created. 
CVE-2021-3531 
A flaw was found in the Red Hat Ceph Storage RGW in versions MISC 
rad hate-red ‘hat before 14.2.21. When processing a GET Request for a swift URL not yet MLIST 
= = that ends with two slashes it can cause the rgw to crash, resulting || 2021-05-18 éalculated MLIST 
in a denial of service. The greatest threat to the system is of FEDORA 
availability. FEDORA 
FEDORA 
A Zip Slip vulnerability was found in the oc binary in openshift- 
clients where an arbitrary file write is achieved by using a specially 
crafted raw container image (.tar file) which contains symbolic 
links. The vulnerability is limited to the command ‘oc image 
extract’. If a symbolic link is first created pointing within the tarball, 
red_hat -- red_hat this allows further symbolic links to bypass the existing path 2024-05-14 not yet oo 
check. This flaw allows the tarball to create links outside the calculated CONFIRM 
tarball's parent directory, allowing for executables or configuration laeacuneeanesias 
files to be overwritten, resulting in arbitrary code execution. The 
highest threat from this vulnerability is to confidentiality, integrity, 
as well as system availability. Versions up to and including 
openshift-clients-4.7.0-202104250659.p0.git.95881af are affected. 
RFNTPS firmware versions System_01000004 and earlier, and CVE-2021-20719 
rfntps -- firmware Web_01000004 and earlier allow an attacker on the same network 2021-05-20 not yet MISC... 
segment to execute arbitrary OS commands with a root privilege calculated MISC 
via unspecified vectors. (aaa 
CVE-2021-33477 
MISC 
F MISC 
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow MISC 
rxvt-unicode -- rxvt-unicode (potentially remote) code execution because of improper handling 2021-05-20 not yet MISC 
of certain escape sequences (ESC G Q). A response is calculated MISC 
terminated by a newline. MISC 
MISC 
MISC 
A local file inclusion vulnerability in the FileServlet in all 
SearchBlox before 9.2.2 allows remote, unauthenticated users to 
read arbitrary files from the operating system via a 
searchblox -- searchblox /searchblox/servlet/FileServiet?col=url= request. Additionally, this 2021-05-20 not yet i eacaa 
may be used to read the contents of the SearchBlox configuration calculated MISC 
file (e.g., searchblox/WEB-INF/config.xml), which contains both kip 
the Super Admin's API key and the base64 encoded SHA1 
password hashes of other SearchBlox users. 
SITEL CAP/PRxX firmware version 5.2.01, allows an attacker with 
F : access to the device’s network to cause a denial of service not yet CVE-2021-32455 
sitel = capipm_fimware condition on the device. An attacker could exploit this vulnerability eens éaleuiated CONFIRM 
by sending HTTP requests massively. 
SITEL CAP/PRxX firmware version 5.2.01 allows an attacker with 
sitel -- cap/prx_firmware access to the local network of the device to obtain the 2021-05-17 HOt yer eee toes 
calculated |CONFIRM 
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Primary ae F Cvss Source & Patch 
Vendor -- Product Pescmprlon eubiiehed Score Info 
SITEL CAP/PRxX firmware version 5.2.01 allows an attacker with 
‘ ‘ access to the local network, to access via HTTP to the internal 
pital = Calpipix_finmware configuration database of the device without any authentication. 2021-05-17 Pah eee aro 
An attacker could exploit this vulnerability in order to obtain ee 
information about the device’s configuration. 
SITEL CAP/PRxX firmware version 5.2.01 makes use of a 
sitel -- cap/prx_firmware hardcoded password. An attacker with access to the device could 2021-05-17 not yet CVE-2021-32454 
modify these credentials, leaving the administrators of the device calculated |CONFIRM 
without access. 
A flaw was found in slapi-nis in versions before 0.56.7. A NULL 
Fe en fs pointer dereference during the parsing of the Binding DN could 7 
plapimis = Slapenis allow an unauthenticated attacker to crash the 389-ds-base 2021-05-20 Petar 1 as 
directory server. The highest threat from this vulnerability is to iemeacars 
system availability. 
An issue was discovered in Smartstore (aka SmartStoreNET) CVE-2020-36364 
smartstore -- smartstore before 4.1.0. Administration/Controllers/ImportController.cs allows notyet lac 
: : 2021-05-19 MISC 
path traversal (for copy and delete actions) in the calculated MISC 
ImportController.Create method via a TempFileName field. a 
Smartstore (aka SmartStoreNET) before 4.1.0 allows 
smartstore -- smartstore CommonCorntroller.ClearCache, ClearDatabaseCache, 2021-05-19 not yet ||CVE-2020-36365 
RestartApplication, and ScheduleTaskController.Edit open calculated |MISC 
redirect. 
This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of SolarWinds Network Performance 
Monitor 2020.2.1. Authentication is not required to exploit this 
solarwinds -- vulnerability. The specific flaw exists within the nok vet CVE-2021-31474 
network_performance_monitor SolarWinds.Serialization library. The issue results from the lack of || 2021-05-21 deiuiied MISC 
proper validation of user-supplied data, which can result in MISC 
deserialization of untrusted data. An attacker can leverage this 
vulnerability to execute code in the context of SYSTEM. Was ZDI- 
CAN-12213. 
This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of SolarWinds Orion Job Scheduler 
2020.2.1 HF 2. Authentication is required to exploit this 
colanvinds:2-Onon Job lechedular vulnerability. The specific flaw exists within the JobRouterService 2021-05-21 not yet i mms 
Jon WCF service. The issue is due to the WCF service configuration, calculated MISC 
which allows a critical resource to be accessed by unprivileged (acacia 
users. An attacker can leverage this vulnerability to execute code 
in the context of an administrator. Was ZDI-CAN-12007. 
_ ; In multiple versions of Sophos Endpoint products for MacOS, a CVE-2021-25264 
Popnos sr Enapelnapretiee local attacker could execute arbitrary code with administrator 2021-05-17 Pie cam CONFIRM 
privileges. MISC 
STMicroelectronics STM32L4 devices through 2020-10-19 have 
stmicroelectronics -- incorrect access control. The flash read-out protection (RDP) can not vet CVE-2020-27212 
stm32l4_ devices be degraded from RDP level 2 (no access via debug interface) to || 2021-05-21 Pease MISC 
level 1 (limited access via debug interface) by injecting a fault MISC 
during the boot phase. 
stmmicroelectronics -- : ; ; 
stm32I4_ devices STMicroelectronics STM32L4 devices through 2021-03-29 have 2021-05-24 not yet |CVE-2021-29414 
incorrect physical access control. calculated |MISC 
This vulnerability allows network-adjacent attackers to execute 
arbitrary code on affected installations of Synology DiskStation 
Manager. Authentication is not required to exploit this vulnerablity. CVE-2021-31439 
synology -- diskstation_manager The specific flaw exists within the processing of DSI structures in 2021-05-21 not yet MISC... 
Netatalk. The issue results from the lack of proper validation of the calculated MISC 
length of user-supplied data prior to copying it to a heap-based bimerias 
buffer. An attacker can leverage this vulnerability to execute code 
in the context of the current process. Was ZDI-CAN-12326. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
Telegram macOS <7.4 are affected by a Stack Based Overflow in CVE-2021-31321 
telegram -- multiple_products the gray_split_cubic function of their custom fork of the rlottie 2021-05-18 not yet MISC. 
= library. A remote attacker might be able to overwrite Telegram's calculated MISC 
stack memory out-of-bounds on a victim device via a malicious —— 
animated sticker. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
Telegram macOS <7.1 are affected by a Heap Buffer Overflow in CVE-2021-31323 
falearani2e-maultiple products the LottieParserlmpl::parseDashProperty function of their custom 2021-05-18 not yet MISC... 
9 pie_P fork of the rlottie library. A remote attacker might be able to access calculated | a5 








heap memory out-of-bounds on a victim device via a malicious 
animated sticker. 
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of possible html tags, it is possible to send a ‘save_builder’ 
request with the “heading_tag” set to “script”, and the actual “title” 
parameter set to JavaScript to be executed within the script tags 
added by the “heading_tag” parameter. 

















Primary are F Cvss Source & Patch 
Vendor -- Product Descnpron eubliehed Score Info 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
‘Telegram macOS <7.1 are affected by a Type Confusion in the CVE-2021-31318 
lelearam-<smultiple: araducts LOTCompLayerltem::LOTCompLayerltem function of their custom 2021-05-18 not yet MISC... 
9 pie_P fork of the rlottie library. A remote attacker might be able to access calculated MISC 
heap memory out-of-bounds on a victim device via a malicious (eae 
animated sticker. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
‘Telegram macOS <7.1 are affected by a Heap Buffer Overflow in CVE-2021-31320 
telegram -- multiple_products the VGradientCache::generateGradientColorTable function of their 2021-05-18 not yet MISC. 
custom fork of the rlottie library. A remote attacker might be able to calculated MISC 
overwrite heap memory out-of-bounds on a victim device via a preraeorm: 
malicious animated sticker. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
‘Telegram macOS <7.1 are affected by a Heap Buffer Overflow in CVE-2021-31322 
telegram -- multiple_products the LOTGradient::populate function of their custom fork of the notyet |e 
eee : 2021-05-18 MISC 
rlottie library. A remote attacker might be able to access heap calculated MISC 
memory out-of-bounds on a victim device via a malicious ere 
animated sticker. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
relearaniceinultiple: products Telegram macOS <7.1 are affected by an Integer Overflow in the not vet CVE-2021-31319 
9 pie_P LOTGradient::populate function of their custom fork of the rlottie || 2021-05-18 | 7° 74. |MISC 
library. A remote attacker might be able to access heap memory MISC 
out-of-bounds on a victim device via a malicious animated sticker. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
ielearanicsimultinle: oroducts ‘Telegram macOS <7.1 are affected by a Type Confusion in the not vet CVE-2021-31317 
9 ple_p \VDasher constructor of their custom fork of the rlottie library. A 2021-05-18 gee MISC 
remote attacker might be able to access Telegram's heap memory MISC 
out-of-bounds on a victim device via a malicious animated sticker. 
‘Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and 
feléaranicanuiinle-oroducts ‘Telegram macOS <7.1 are affected by a Stack Based Overflow in Fat vet CVE-2021-31315 
9 pie_p the blit function of their custom fork of the rlottie library. Aremote || 2021-05-18 |] 11° 2 ||MISC 
attacker might be able to access Telegram's stack memory out-of- MISC 
bounds on a victim device via a malicious animated sticker. 
In Trusted Firmware-M through 1.3.0, cleaning up the memory CVE-2021-32032 
trusted_firmware-m -- allocated for a multi-part cryptographic operation (in the event of a RAN 
. : ees : not yet CONFIRM 
trusted_firmware-m failure) can prevent the abort() operation in the associated 2021-05-21 calculated |MISC 
cryptographic library from freeing internal resources, causing a MISC 
memory leak. ——— 
In Ubiquiti UniFi Video v3.10.13, when the executable starts, its 
ubiquiti -- unifi_video first library validation is in the current directory. This allows the 2021-05-17 not yet |CVE-2020-24755 
impersonation and modification of the library to execute code on calculated |MISC 
the system. This was tested in (Windows 7 x64/Windows 10 x64). 
vmd through 1.34.0 allows ‘div class="markdown-body" XSS, as 
demonstrated by Electron remote code execution via not yet CVE-2021-33041 
eng virial require(‘child_process').execSync('calc.exe') on Windows and a 2021-05-17 | calculated |MISC 
similar attack on macOS. 
lwebsvn -- websvn WebSVN before 2.6.1 allows remote attackers to execute arbitrary 2021-05-18 not yet CVE-2021-32305 
commands via shell metacharacters in the search parameter. calculated ||MISC 
A flaw was found in Wildfly in versions before 23.0.2.Final while 
wildfly -- wildflt creating a new role in domain mode via the admin console, it is 2021-05-20 not yet |CVE-2021-3536 
possible to add a payload in the name field, leading to XSS. This calculated |MISC 
affects Confidentiality and Integrity. 
The tab parameter of the settings page of the 404 SEO 
a Redirection WordPress plugin through 1.3 is vulnerable to a 05. not yet |CVE-2021-24325 
Wordpress: WwOrIpress reflected Cross-Site Scripting (XSS) issue as user input is not eed ud calculated |CONFIRM 
properly sanitised or escaped before being output in an attribute. 
When taxes are enabled, the "Additional tax classes" field was not 
= properly sanitised or escaped before being output back in the 05. not yet |CVE-2021-24323 
Wordpress -- wordpress admin dashboard, allowing high privilege users such as admin to eet calculated |CONFIRM 
use XSS payloads even when the unfiltered_html is disabled 
‘The Happy Addons for Elementor WordPress plugin before 
2.24.0, Happy Addons Pro for Elementor WordPress plugin before 
1.17.0 have a number of widgets that are vulnerable to stored 
Cross-Site Scripting(XSS) by lower-privileged users such as “i : 
Wordoress:wordoress contributors, all via a similar method: The “Card” widget accepts a 2021-05-17 not yet a 
P P “title_tag” parameter. Although the element control lists a fixed set calculated CONFIRM 
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and execute the executable memory using this hook with IOCTL 
0x80002014 or 0x80002018, this exposes ring 0 code execution in 
the context of the driver allowing the non-privileged process to 





elevate privileges. 














Primary ae F Cvss Source & Patch 
Vendor -- Product Bescnpron eubiiehed Score Info 
The SEO Redirection Plugin a€“ 301 Redirect Manager 
WordPress plugin before 6.4 did not sanitise the Redirect From 
wordpress -- wordpress and Redirect To fields when creating a new redirect in the 2021-05-17 Paes ore a 
dashboard, allowing high privilege users (even with the eee ee 
unfiltered_html disabled) to set XSS payloads 
It was possible to exploit an Unauthenticated Time-Based Blind 
SQL Injection vulnerability in the Spam protection, AntiSpam, 
FireWall by CleanTalk WordPress Plugin before 5.153.4. The 
update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php CVE-2021-24295 
wordpress -- wordpress included a vulnerable query that could be injected via the User- notyet. |e 
: : : 2021-05-17 MISC 
Agent Header by manipulating the cookies set by the Spam calculated CONFIRM 
protection, AntiSpam, FireWall by CleanTalk WordPress plugin (aac 
before 5.153.4, sending an initial request to obtain a 
ct_sfw_pass_key cookie and then manually setting a separate 
ct_sfw_passed cookie and disallowing it from being reset. 
There is functionality in the Store Locator Plus for WordPress CVE-2021-24289 
wordpress -- wordpress plugin through 5.5.14 that made it possible for authenticated users 2021-05-17 not yet MISC... 
to update their user meta data to become an administrator on any calculated CONFIRM 
site using the plugin. eee 
‘The tab parameter of the settings page of the All 404 Redirect to 
Homepage WordPress plugin before 1.21 was vulnerable to an 
Wordpress -- wordpress authenticated reflected Cross-Site Scripting (XSS) issue as user 2021-05-17 mit ins a oo 
input was not properly sanitised before being output in an a 
attribute. 
Nard precs<-wwordpress There are several endpoints in the Store Locator Plus for not vet CVE-2021-24290 
P p WordPress plugin through 5.5.15 that could allow unauthenticated || 2021-05-17 ered CONFIRM 
attackers the ability to inject malicious JavaScript into pages. MISC 
The ReDi Restaurant Reservation WordPress plugin before 
21.0426 provides the functionality to let users make restaurant 
reservations. These reservations are stored and can be listed on 
an 'Upcoming' page provided by the plugin. An unauthenticated 
user can fill in the form to make a restaurant reservation. The form 
WORIpISES => WOLGBTESS ito make a restaurant reservation field called 'Comment' does not 2021-05-17 eaten ae 
use proper input validation and can be used to store XSS bee 
payloads. The XSS payloads will be executed when the plugin 
user goes to the 'Upcoming' page, which is an external website 
https://upcoming.reservationdiary.eu/ loaded in an iframe, and the 
stored reservation with XSS payload is loaded. 
The Goto WordPress theme before 2.1 did not sanitise, validate of CVE-2021-24314 
wordpress -- wordpress escape the keywords GET parameter from its listing page before 2024-05-17 not yet CONFIRM 
using it ina SQL statement, leading to an Unauthenticated SQL calculated MISC. 
injection issue ea 
The GiveWP a€“ Donation Plugin and Fundraising Platform 
wordprées<awordpress WordPress plugin before 2.10.4 did not sanitise or escape the nobvet CVE-2021-24315 
P P Background Image field of its Stripe Checkout Setting and Logo 2021-05-17 Pear MISC 
field in its Email settings, leading to authenticated (admin+) Stored CONFIRM 
XSS issues. 
The 404 SEO Redirection WordPress plugin through 1.3 is lacking 
CSRF checks in all its settings, allowing attackers to make a 
WMGhe presse wardpiese logged in user change the plugin's settings. Due to the lack of 2021-05-17 ae a 
sanitisation and escaping in some fields, it could also lead to —— 
Stored Cross-Site Scripting issues 
An integer overflow and several buffer overflow reads in oo 
ara. vara libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could not yet |FEDORA 
y y allow an attacker to either cause denial of service or information 2021-05-14 ¥ EEAGBA 
: ; A : ; calculated ||FEDORA 
disclosure via a malicious Mach-O file. Affects all versions before MISC 
libyara 4.0.4 MISC 
Incorrect access control in zam64.sys, zam32.sys in MalwareFox 
AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 
expose unrestricted disk read/write capabilities respectively. A 
zam64 -- zam64 non-privileged process can open a handle to 2021-05-17 not yet CVE-2021-31727 
\.\ZemanaAntiMalware, register with the driver using IOCTL calculated ||MISC 
0x80002010 and send these IOCTL's to escalate privileges by 
overwriting the boot sector or overwriting critical code in the 
pagefile. 
Incorrect access control in zam64.sys, zam32.sys in MalwareFox 
AntiMalware 2.74.0.150 allows a non-privileged process to open a 
handle to \.\ZemanaAntiMalware, register itself with the driver by 
sending lOCTL 0x80002010, allocate executable memory using a 
eamied Zame? fiaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044) 2021-05-17 || "ole! [=vEq2021-31/28 
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Primary ae j Cvss Source & Patch 
Vendor -- Product Pyeomenen Published Score Info 
CVE-2021-20718 
zmartzone -- mod_auth_openidc mod_auth_openidce 2.4.0 to 2.4.7 allows a remote attacker to 2021-05-20 not yet MISC 
cause a denial-of-service (DoS) condition via unspecified vectors. calculated ||MISC 
MISC 
zoho -- Zoho ManageEngine ADSelfService Plus before 6104 allows not vet oes 
manageengine_adselfservice_plus ||stored XSS on the /webclient/index.html#/directory-search user 2021-05-20 y Fae eee 


search page via the e-mail address field. calculated |MISC 












MISC 

Zope -- zope Zope Products.CMFCore before 2.5.1 and not yet CVE-2021-33507 

Products.PluggableAuthService before 2.6.2, as used in Plone 2021-05-21 calculated MISC 

through 5.2.4 and other products, allow Reflected XSS. MLIST 

Zope is an open-source web application server. In Zope versions 

prior to 4.6 and 5.2, users can access untrusted modules indirectly 

through Python modules that are available for direct use. By 

default, only users with the Manager role can add or edit Zope 

Page Templates through the web, but sites that allow untrusted CVE-2021-32633 
Zope -- zope users to add/edit Zope Page Templates through the web are at not yet MISC 

risk from this vulnerability. The problem has been fixed in Zope 5.2|| 2021-05-21 calculated CONFIRM 

and 4.6. As a workaround, a site administrator can restrict MLIST 

adding/editing Zope Page Templates through the web using the MLIST 


standard Zope user/role permission mechanisms. Untrusted users 
should not be assigned the Zope Manager role and adding/editing 
Zope Page Templates through the web should be restricted to 
trusted users only. 


[A mobile phone of ZTE is impacted by improper access control 
vulnerability. Due to improper permission settings, third-party 
applications can read some files in the proc file system without 
zte -- axon_11_mobile_devices authorization. Attackers could exploit this vulnerability to obtain 2021-05-19 
sensitive information. This affects Axon 11 5G 
ZTE/CN_P725A12/P725A12:10/QKQ1.200816.002/20201116.17531 7:user/releas: 
keys. 


The management system of ZXCDN is impacted by the 
information leak vulnerability. Attackers can make further analysis 
according to the information returned by the program, and then 2021-05-19 
obtain some sensitive information. This affects ZXCDN V7.01 all 
versions up to IAMV7.01.01.02. 









not yet |CVE-2021-21732 
calculated ||MISC 





zxcdn -- zxcdn not yet |CVE-2021-21733 


calculated ||MISC 
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